MITRE/CVE and FIRST/CVSSv3 mismatch in idetifying vulnerabilities

[Kurt Seifried <kseifried@redhat.com>]

So MITRE/CVE allows for intersection vulns which involve more than a single vulnerable component. FIRST/CVSSv3 doesn't appear to:

https://www.first.org/cvss/specification-document

The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable, which we refer to formally as thevulnerable component. On the other hand, the Impact metrics reflect the direct consequence of a successful exploit, and represent the consequence to the thing that suffers the impact, which we refer to formally as the impacted component.

While the vulnerable component is typically a software application, module, driver, etc. (or possibly even a hardware device), the impacted component could be a software application, a hardware device or a network resource. This potential for measuring the impact of a vulnerability other than the vulnerable component, is a key feature of CVSS v3.0. This property is captured, and further discussed by the Scope metric below.

I was hoping to get some clarification from FIRST on this (CC'ed), does "vulnerable component" mean a single thing only, or can it mean multiple components which intersect to create a vuln?

Also we should probably have some more cross pollination to determine/define these basic terms and make sure we're all on the same page (like what is hardware, e.g. FPGA's fit in where in this pile?). 

--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com