[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: upcoming intel issue
- To: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Subject: Re: upcoming intel issue
- From: Kurt Seifried <kurt@seifried.org>
- Date: Wed, 3 Jan 2018 16:35:14 -0700
- Authentication-results: spf=none (sender IP is 198.49.146.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=none action=none header.from=seifried.org;
- Cc: Art Manion <amanion@cert.org>, jericho <jericho@attrition.org>, "Landfield, Kent" <Kent_Landfield@mcafee.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Thu Jan 4 07:57:18 2018
- In-reply-to: <7748E4BAEC3B964387F3535351DCBA1F011545723D@D2ASEPREA010>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa3-+RnbeTMamFGSXJ8s+7E=Q+PkMDPUYmtdjjey3DZpC0g@mail.gmail.com> <04FBEC57-6834-46C3-B010-8F1105414BF0@mcafee.com> <alpine.LNX.2.00.1801031553470.6952@forced.attrition.org> <9cdfef90-3dc7-960d-b050-9913f2c077a4@cert.org> <2d4f623e-8245-8cc1-4730-6cb1bd3a007a@cert.org> <7748E4BAEC3B964387F3535351DCBA1F011545723D@D2ASEPREA010>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
So some challenges with this one:
1) it is multiple issues
2) it affects multiple vendors at the root cause level
2) it affects multiple vendors with workaround/fix (e.g.... all the OSs, sigh)
So yes it is correct to say that these 3 CVE's were from Intel's CNA and thus "owned" by Intel, but it's clear that literally every OS vendor on the planet that runs on x86 (and some others...) is going to need to deal with this, so from that perspective I think one could argue for more community "ownership" of the CVEs.
I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, lots of projects that are used by literally everyone), the best way I can/could think of to fix this was the JSON format with per vendor/product statements so everyone can have their own cake on their own table as it were.
I also know MITRE has poked me in past for high visibility CVEs, and I generally agree with this, so perhaps some guidelines should be created, e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or higher and more than 10 million affected instances should be high priority, or if it hits cnn.com AND the BBC AND Reuters... and if the original CNA doesn't get it in quickly some other CNA is allowed to).
On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas <Thomas.Millar@hq.dhs.gov> wrote:
https://googleprojectzero.blogspot.com/2018/01/reading- privileged-memory-with-side. html
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org ] On Behalf Of Art Manion
Sent: Wednesday, January 3, 2018 17:51
To: jericho <jericho@attrition.org>; Landfield, Kent <Kent_Landfield@McAfee.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG >
Subject: Re: upcoming intel issue
On 1/3/18 5:25 PM, Art Manion wrote:
> So first, what is the vulnerability (or vulnerabilities) -- things that warrant a CVE ID, and second who is responsible for assigning IDs?
https://meltdownattack.com/
CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
Not immediately populated, so not sure what the distinctions are.
- Art
Kurt Seifried
kurt@seifried.org
kurt@seifried.org
- Follow-Ups:
- RE: upcoming intel issue
- From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: upcoming intel issue
- References:
- upcoming intel issue
- From: Kurt Seifried <kurt@seifried.org>
- Re: upcoming intel issue
- From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
- Re: upcoming intel issue
- From: jericho <jericho@attrition.org>
- Re: upcoming intel issue
- From: Art Manion <amanion@cert.org>
- Re: upcoming intel issue
- From: Art Manion <amanion@cert.org>
- RE: upcoming intel issue
- From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- upcoming intel issue
- Prev by Date: RE: upcoming intel issue
- Next by Date: RE: upcoming intel issue
- Previous by thread: RE: upcoming intel issue
- Next by thread: RE: upcoming intel issue
- Index(es):
