[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

To: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
Subject: Re: CVE for hosted services
From: jericho <jericho@attrition.org>
Date: Wed, 15 Feb 2017 13:29:16 -0600
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;mitre.org; dkim=none (message not signed) header.d=none;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Wed Feb 15 15:29:48 2017
Importance: high
In-reply-to: <A4305A50-AD19-4025-842E-D89337B8269C@cisco.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <A4305A50-AD19-4025-842E-D89337B8269C@cisco.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Alpine 2.00 (LNX 1167 2008-08-23)

FYI, this was asked to clarify policy in December. MITRE's official 
response:

From: "Evans, Jonathan L." <jevans@mitre.org>
X-Originating-IP: [192.160.51.89]
To: jericho <jericho@attrition.org>, cve-cna-list 
<cve-cna-list@lists.mitre.org>
Date: Thu, 15 Dec 2016 14:10:17 +0000
Subject: RE: site-specific vulnerabilities and CVE inclusion

> First, can MITRE chime in and verify this is still current policy 
regarding site-specific issues?

It is still against the rules to assign a CVE ID to a site-specific 
vulnerability.  INC3 in the CNA Rules says "Is the vulnerability 
site-specific?... Yes: Do not assign a CVE ID."[1]

We are not opposed to assigning CVE IDs to site-specific 
vulnerabilities.  
When we finalized the CNA rules, we believed that we did not understand 
the use cases for site-specific vulnerabilities well
enough to write rules on how to properly count them.  We fully expect 
support for site-specific vulnerabilities to be a major topic of the 
next 
revision of the rules.

[1] http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf

--
Jonathan Evans
Lead CVE Content Analyst
The MITRE Corporation

On Wed, 15 Feb 2017, Andy Balinsky (balinsky) wrote:

: I was having some internal discussions with our Incident Response 
team (PSIRT) at Cisco, and the issue came up of whether there are 
either any industry best practices, or Mitre policies regarding CVEs 
for hosted services.
: 
: The situation is where a software service is hosted by a vendor on 
servers owned by the vendor. A vulnerability is discovered internally 
by the vendor. It is fixed. No action is required by the customer. She 
just starts using the fixed version next time she visits that webpage.
: So, should the vendor issue an advisory about it? And should a CVE be 
generated?
: 
: What are other vendors doing in this case? (Maybe this list isn't the 
best place to be discussing this).
: 
: Andy Balinsky
: balinsky@cisco.com<mailto:balinsky@cisco.com>
: 
: [cid:7113EA8F-503E-4953-B0D3-ED49102D51E2@cisco.com]
: 
:

References:
- CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>

Prev by Date: CVE for hosted services
Next by Date: RE: CVE for hosted services
Previous by thread: CVE for hosted services
Next by thread: RE: CVE for hosted services
Index(es):
- Date
- Thread