|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNA Rules Announcement
- To: Chandan Nandakumaraiah <cbn@juniper.net>
- Subject: Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Date: Sat, 8 Oct 2016 23:41:41 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;mitre.org; dkim=none (message not signed) header.d=none;
- Cc: cve-cna-list <cve-cna-list@lists.mitre.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Mon Oct 10 08:02:31 2016
- Importance: high
- In-reply-to: <aa36938b-cd80-a602-ec4c-8ad9633298ee@juniper.net>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1610071348180.22653@forced.attrition.org> <21d6a5ec-f1ab-cc13-d159-4fef3991bbca@juniper.net> <alpine.LNX.2.00.1610071921490.22653@forced.attrition.org> <aa36938b-cd80-a602-ec4c-8ad9633298ee@juniper.net>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Fri, 7 Oct 2016, Chandan Nandakumaraiah wrote: : > Moving forward sure, but retroactively trying to enforce that for an issue : > that is already abstracted to some degree does not work. : : Agreed. We need a statement or rule on the interaction between new : assignments and assignments based on previous rules. Also need to be careful if we unilaterally change the abstraction rules for CVE if it breaks from a 16 year history. : > Not sure every scanner does that. There is a lot of value in having a : > per-vendor finding in that case, else that single finding will come with a : > list of 250+ advisories that are not easily distinguished from each other, : > that carry the solution. : : We can not solve that problem by assigning 250+ different CVEs for a : common vulnerability. That would be like going back to pre-CVE era, : isn't it? No. Pre-CVE there was BID (for 6 months) and X-Force (for 2 years), neither of which really faces these kind of protocol vulns. There are merits of each abstraction method and we should weigh the pros and cons looking forward, not back. : What if the product-vendor being scanned had never produced an advisory : or fix for the 'POODLE for TLS' issue? Which of the many CVEs should the : scanner use to reference that unique issue? If they do it right, they don't reference a CVE in that case. That is perhaps the most critically dangerous notion the board, or anyone in security, could have; that you *must* have a CVE for it to be a valid security issue or that an issue without a CVE is some kind of weird thing, when it absolutely is not. In fact, that is the norm [1] for many companies. Brian [1] http://www.csoonline.com/article/3122460/techology-business/over-6000-vulnerabilities-went-unassigned-by-mitres-cve-project-in-2015.html
- References:
- CNA Rules Announcement
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- CNA Rules Announcement
- Prev by Date: Re: CNA Rules Announcement
- Next by Date: Re: CNA Rules Announcement
- Previous by thread: Re: CNA Rules Announcement
- Next by thread: RE: CNA Rules Announcement
- Index(es):