Re: CVE for hosted services

[Kurt Seifried <kseifried@redhat.com>]

So uhh I'll just leave this example here:

https://www.google.ca/search?q=cloudflare+cloudbleed

I know for example on the CloudSecurityAlliance side I now need to forcibly reset every password for all our websites, and look at the third parties we do auth from (e.g. FaceBook/Linkedin) to see if they are affected (not that there is much we can do other than notify people). 

On Thu, Feb 23, 2017 at 8:36 PM, Art Manion <amanion@cert.org> wrote:

On 2017-02-23 19:05, jericho wrote:

> https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
>
> Harold, how would you write a CVE-ish description of this, in the context
> of moving CVE to site-specific issues? The service and info disclosed is
> the easy part. Then what? Do you also mention some of the services that
> use Cloudflare? Some businesses may know, where individuals do not (e.g.
> 1Password is hosted on it). What date range do you put down for this? You
> know the fix date, but not the start date. This goes back to the problem
> of making such entries useful to companies trying to determine risk.

Not answering your question, but:

This issue should get a CVE ID so the world can talk about it and have
confidence they're talking about the same "it."  The description might
be tricky, but the description is primarily to catalog/de-duplicate, not
to help assess risk.

CVE is lower layer of infrastructure.  Someone else (NVD, CVSS, RBS,
CERT, a CloudFlare customer) can add to the severity/risk assessment.

 - Art

--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com