Re: Microsoft CNA assignment issues for April

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of jericho <jericho@attrition.org>
Date: Wednesday, April 19, 2017 at 20:39
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Microsoft CNA assignment issues for April

MITRE,

Now that we've had a week to digest this, we have seen dozens of

mainstream news articles use 2017-3447 and 2017-2605 specifically as CVE

identifiers. Has MITRE determined if these are a collision, or if they can

and will be REJECTed in advance?

I exchanged several emails with MSRC last week about this, and it

concluded with them saying they would pass along my feedback and

suggestion to use a more distinct ID scheme. Hopefully, we'll see

something different for May.

Brian

On Tue, 11 Apr 2017, jericho wrote:

: All,

:

: Microsoft has assigned a single CVE to cover "all April Adobe Flash updates"

: apparently:

:

: https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments

:

:    April Flash Security Update           2017-3447

:

: Which links to https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447.

:

: Further, there is a single ID to cover "defense-in-depth" updates for a

: product:

:

:    Defense-in-Depth Update for Microsoft Office      2017-2605

:

: Which links to

: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605

:

: I am fairly confident that 2017-3447 is not a proper assignment and does not

: follow the CNA guidelines, about assigning IDs to another vendor's products

: (and that vendor happens to be a CNA themselves). We've seen this done in the

: past with Oracle as well.

:

: I'd also be surprised if a single ID assignment for multiple defense-in-depth

: enhancements meets the criteria of a CVE ID, since DiD enhancements generally

: do not mean there is a crossing of privilege boundaries, and therefore not

: vulnerabilities.

:

: Could Microsoft and MITRE chime in on these please?

:

: Brian

: