[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Microsoft CNA assignment issues for April


Now that we've had a week to digest this, we have seen dozens of 
mainstream news articles use 2017-3447 and 2017-2605 specifically as 
identifiers. Has MITRE determined if these are a collision, or if they 
and will be REJECTed in advance?

I exchanged several emails with MSRC last week about this, and it 
concluded with them saying they would pass along my feedback and 
suggestion to use a more distinct ID scheme. Hopefully, we'll see 
something different for May.


On Tue, 11 Apr 2017, jericho wrote:

: All,
: Microsoft has assigned a single CVE to cover "all April Adobe Flash 
: apparently:
:    April Flash Security Update        2017-3447
: Which links to 
: Further, there is a single ID to cover "defense-in-depth" updates for 
: product:
:    Defense-in-Depth Update for Microsoft Office       2017-2605
: Which links to
: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605
: I am fairly confident that 2017-3447 is not a proper assignment and 
does not
: follow the CNA guidelines, about assigning IDs to another vendor's 
: (and that vendor happens to be a CNA themselves). We've seen this 
done in the
: past with Oracle as well.
: I'd also be surprised if a single ID assignment for multiple 
: enhancements meets the criteria of a CVE ID, since DiD enhancements 
: do not mean there is a crossing of privilege boundaries, and 
therefore not
: vulnerabilities.
: Could Microsoft and MITRE chime in on these please?
: Brian

Page Last Updated or Reviewed: April 20, 2017