[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

On 2/24/17 11:03 AM, Millar, Thomas wrote:
> How do I use a CVE for a service vuln to check if my environment was
> affected and if so, that my ops have applied the proper remedies?

I don't think you can.  In such as case, CVE is only providing
identification.  Which is still useful and necessary, just not
sufficient for your stated need.

I'd expect there would be service vulnerabilities that get IDs but never
enough additional information to support defensive ops (beyond basic
awareness).

 - Art


> ------------------------------------------------------------------------
> *From:* owner-cve-editorial-board-list@lists.mitre.org on behalf of 
> Kurt
> Seifried
> *Sent:* Friday, February 24, 2017 3:44:39 PM
> *To:* Art Manion
> *Cc:* jericho; Booth, Harold (Fed); cve-editorial-board-list
> *Subject:* Re: CVE for hosted services
> 
> So uhh I'll just leave this example here:
> 
> https://www.google.ca/search?q=cloudflare+cloudbleed
> 
> I know for example on the CloudSecurityAlliance side I now need to
> forcibly reset every password for all our websites, and look at the
> third parties we do auth from (e.g. FaceBook/Linkedin) to see if they
> are affected (not that there is much we can do other than notify 
> people). 
> 
> On Thu, Feb 23, 2017 at 8:36 PM, Art Manion <amanion@cert.org
> <mailto:amanion@cert.org>> wrote:
> 
>     On 2017-02-23 19:05, jericho wrote:
> 
>     > https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
>     <https://bugs.chromium.org/p/project-zero/issues/detail?id=1139>
>     >
>     > Harold, how would you write a CVE-ish description of this, in 
> the context
>     > of moving CVE to site-specific issues? The service and info 
> disclosed is
>     > the easy part. Then what? Do you also mention some of the 
> services that
>     > use Cloudflare? Some businesses may know, where individuals do 
> not (e.g.
>     > 1Password is hosted on it). What date range do you put down for 
> this? You
>     > know the fix date, but not the start date. This goes back to 
> the problem
>     > of making such entries useful to companies trying to determine 
> risk.
> 
>     Not answering your question, but:
> 
>     This issue should get a CVE ID so the world can talk about it and 
> have
>     confidence they're talking about the same "it."  The description 
> might
>     be tricky, but the description is primarily to 
> catalog/de-duplicate, not
>     to help assess risk.
> 
>     CVE is lower layer of infrastructure.  Someone else (NVD, CVSS, 
> RBS,
>     CERT, a CloudFlare customer) can add to the severity/risk 
> assessment.
> 
>      - Art
> 
> 
> 
> 
> -- 
> 
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: secalert@redhat.com
> <mailto:secalert@redhat.com>
Page Last Updated or Reviewed: February 24, 2017