[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

That rule probably covers it. Thanks, Jericho and Mike, too. I had forgotten to consult that document. 

I don't think it would affect Cisco's decision whether to announce a vulnerability or not. It would just be a decision of whether to issue and attach a CVE to that announcement. 

I guess it gets back to the purpose of a CVE. If the primary purpose is to serve vulnerability scanners, a scanner would never detect a site-specific vulnerability, if it was patched before being announced. If it were reported to the vendor, and then took a while to be patched, then it could be something a scanner might want to warn about. Though directing a scanner at someone else's SaaS offering would be unlikely. 

I think the main benefit would be to unify discussions about an issue. If a SaaS vulnerability were disclosed and then academic or online discussions wanted to refer to the vulnerability with specificity to disambiguate from some similar vulnerability. That, I suppose is the only aspect left to debate. I don't know if it is a compelling case or not.


On Feb 15, 2017, at 1:36 PM, Landfield, Kent B <kent.b.landfield@intel.com> wrote:

This has been discussed in the past and the feeling was this was not something that would need a CVE as there is no need to identify the vulnerability outside the organization. Most host providers quickly correct those types of situations and it is generally not an external concern. 
That said..., if the vulnerability is in commonly used software supplying a portion of a hosted service that other providers are using as well, it would make sense to assure the vulnerability was processed appropriately.
The question you have to ask yourself is, does this discovered vulnerability potentially affect other companies and hosted services outside your organization? If so, a CVE is probably needed.  If it is homegrown software that no one else runs or a local configuration issue, then probably not...
Kent Landfield
From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Andy Balinsky (balinsky)" <balinsky@cisco.com>
Date: Wednesday, February 15, 2017 at 11:17 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE for hosted services
I was having some internal discussions with our Incident Response team (PSIRT) at Cisco, and the issue came up of whether there are either any industry best practices, or Mitre policies regarding CVEs for hosted services. 
The situation is where a software service is hosted by a vendor on servers owned by the vendor. A vulnerability is discovered internally by the vendor. It is fixed. No action is required by the customer. She just starts using the fixed version next time she visits that webpage. 
So, should the vendor issue an advisory about it? And should a CVE be generated?
What are other vendors doing in this case? (Maybe this list isn't the best place to be discussing this).
Andy Balinsky


Andy Balinsky

Page Last Updated or Reviewed: February 16, 2017