[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE-2017-7269 and abandonware

I agree with Kent's perspective on this.

In this specific case, the discoverer contacted the CNA and received a 
case number. However, they were told that the unsupported/obsolete 
product was outside the scope of the CNA.

> What are the assignment rules for abandonware (or unsupportedware)?

As Kent mentioned, this would be a good Board discussion and we could 
drive to a specific CNA rule that covers this situation. Does anyone 
disagree with Kent's perspective?

> Is the vendor CNA primarily responsible, if one exists?

Yes. We should always give them the opportunity and redirect to them 
first if they exist. If they refuse, then a next available CNA could be 
contacted. One item for the Board discussion, as the backup CNA how 
would we verify that this conversation took place.


Chris

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
Landfield, Kent B
Sent: Thursday, March 30, 2017 9:33 AM
To: Art Manion <amanion@cert.org>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE-2017-7269 and abandonware

From my perspective... I would like it to be the vendor CNA if one 
still exists.  If the vendor refuses or is no longer in business, then 
next up would be to go to a secondary CNA such as you list. 

I would hope the vendor would want to issue that themselves even if the 
product is EOL.  There is concern in various circles that this type of 
acknowledgement from the vendor on an EOL’ed product could cause some 
liability on that vendor. Abandonware is going to become more and more 
of a problem with the new emerging device landscape.  Who owns the 
problems they create?

This is actually a great conversation for the Board to have. 

---
Kent Landfield
+1.817.637.8026

On 3/30/17, 8:52 AM, "owner-cve-editorial-board-list@lists.mitre.org on 
behalf of Art Manion" <owner-cve-editorial-board-list@lists.mitre.org 
on behalf of amanion@cert.org> wrote:

    Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?
    
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
    
    What are the assignment rules for abandonware (or unsupportedware)?
    
    Is the vendor CNA primarily responsible, if one exists?
    
    Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC, 
JPCERT/CC?
    
    
     - Art
Page Last Updated or Reviewed: March 30, 2017