[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Regarding CVE assignments on oss-sec mailing list

> -----Original Message-----
> From: jericho [mailto:jericho@attrition.org]
> Sent: Monday, November 30, 2015 4:49 PM
> To: Williams, Ken <Ken.Williams@ca.com>
> Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: RE: Regarding CVE assignments on oss-sec mailing list
> Importance: High
> On Sun, 29 Nov 2015, Williams, Ken wrote:
> : [...]
> : > If CVE fails to provide IDs on a few issues, after three months, I
> will
> : > personally lobby my company to publish advisories without an
> assignment,
> : > and make it very clear that it was done because CVE chose not to
> assign.
> : > It isn't fair that CVE holds up the coordinated disclosure process in
> : > cases where the requesting party and vendor are not CNAs themselves.
> Given
> : > that I suggested CVE expand the CNA body a while back, and that
> appears to
> : > have fell on deaf ears, there is no excuse for MITRE at this point.
> : [...]
> :
> : A disclosure process should never be held up by a pending CVE
> : assignment.  Just go ahead and disclose and put "pending CVE assignment"
> : on the CVE line.
> Except, that is problematic for issues like Apache Commons. CVE's delay in
> assigning, or clearly saying how assignments would be handled (e.g. one ID
> vs one ID per vendor vs one ID per product) led to serious confusion
> already. IBM started using Oracle's assignment in advisories before CVE
> finally replied to IBM PSIRT instructing them to use their own. But the
> damage is done, even with IBM's own ID, some internal divisions are still
> using Oracle's assignment a week later [1].
> This highlights the importance of timely assignments and/or direction from
> CVE to the CNAs.
> .b
> [1] http://www-01.ibm.com/support/docview.wss?uid=swg1JR54748

Can't argue with anything you, Kurt, Pascal, or Art said.  More timely
CVE assignments and responses are needed, and doable.

That said, CVE should never be a roadblock to disclosure, patching, and
security.  We need to be part of the solution instead of creating new

I'd really like to see us devote more effort to a system that provides CVE
identifiers for ALL vulnerabilities, instead of limiting the scope to just
a small subset of the most popular and widely used software.  Then we'd
only have to worry about out how to expand the CVE customer support
organization to deal with the huge backlog of outstanding CVE identifier
review/approval/consolidation tickets.
(not sure if I'm kidding about CS expansion)

Lack of CVE coverage for 3rd party components is a big, existing problem
for me on a daily basis, so I know it's a problem for many others too.


Page Last Updated or Reviewed: December 01, 2015