|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CNA Rules Announcement
- To: Chandan Nandakumaraiah <cbn@juniper.net>, cve-cna-list <cve-cna-list@lists.mitre.org>
- Subject: RE: CNA Rules Announcement
- From: "Williams, Ken" <Ken.Williams@ca.com>
- Date: Sat, 8 Oct 2016 15:31:02 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=none header.from=ca.com;mitre.org; dkim=none (message not signed) header.d=none;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Mon Oct 10 08:02:31 2016
- In-reply-to: <aa36938b-cd80-a602-ec4c-8ad9633298ee@juniper.net>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1610071348180.22653@forced.attrition.org> <21d6a5ec-f1ab-cc13-d159-4fef3991bbca@juniper.net> <alpine.LNX.2.00.1610071921490.22653@forced.attrition.org> <aa36938b-cd80-a602-ec4c-8ad9633298ee@juniper.net>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHSIMw/hrTQcv8v6k2LIEA4vePt6qCdnxgAgAAUo4CAAFCwgIAAqiCw
- Thread-topic: CNA Rules Announcement
Solution: Assign a master/primary/original CVE for the "POODLE for TLS" vulnerability, and then assign CVEs as needed for all affected products-vendors. Each of these "secondary" POODLE CVEs should reference/"hashtag" the primary POODLE CVE in their description. Regards, Ken Williams Vulnerability Response Director, Product Vulnerability Response Team CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022 > -----Original Message----- > From: owner-cve-cna-list@lists.mitre.org [mailto:owner-cve-cna- > list@lists.mitre.org] On Behalf Of Chandan Nandakumaraiah > Sent: Saturday, October 08, 2016 12:16 AM > To: cve-cna-list <cve-cna-list@lists.mitre.org> > Cc: cve-editorial-board-list > <cve-editorial-board-list@lists.mitre.org> > Subject: Re: CNA Rules Announcement > > > Moving forward sure, but retroactively trying to enforce that for an > issue > > that is already abstracted to some degree does not work. > > Agreed. We need a statement or rule on the interaction between new > assignments and assignments based on previous rules. > > If we discover a new product with "POODLE for TLS" vulnerability: > (a) do we assign a new CVE id with its use limited to that product > alone (old rule)? > (b) use CVE-2014-8730 (based on INC5 and Appendix E rules)? > (c) assign a new CVE entirely for the "POODLE for TLS" vulnerability? > > > Not sure every scanner does that. There is a lot of value in having > > a > > per-vendor finding in that case, else that single finding will come > > with > a > > list of 250+ advisories that are not easily distinguished from each > other, > > that carry the solution. > > We can not solve that problem by assigning 250+ different CVEs for a > common vulnerability. That would be like going back to pre-CVE era, > isn't it? > > What if the product-vendor being scanned had never produced an > advisory > or fix for the 'POODLE for TLS' issue? Which of the many CVEs should > the > scanner use to reference that unique issue? > > Thanks, > -Chandan > -- > Security Incident Response Team > Juniper Networks
- Follow-Ups:
- Re: CNA Rules Announcement
- From: Scott Lawler <scott.lawler@lp3.com>
- Re: CNA Rules Announcement
- References:
- CNA Rules Announcement
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- CNA Rules Announcement
- Prev by Date: Re: CNA Rules Announcement
- Next by Date: Re: CNA Rules Announcement
- Previous by thread: Re: CNA Rules Announcement
- Next by thread: Re: CNA Rules Announcement
- Index(es):