[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE/CNA coverage

Kurt,

 

It’s not clear to me whether Oracle would consider this within their scope. FYI… a quick search doesn’t find any previous CVEs for GlassFish Open Server. I think the safest thing to do is to redirect them to Oracle. In the meantime, we will also send a note to Oracle about the issue. We will also ask the question as to whether all “Sponsored” products should be considered within the scope of Oracle, or if there would be exceptions. If there are exceptions then I would agree, we need to push for lists that provide CNA scope information or all CNAs.

 

Should we consider this a discussion point for becoming a CNA Rule? For example, a rule that states a CNA must provide a page on their web site which lists the products for which they accept vulnerability reports.

 

Chris

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Williams, Ken
Sent: Wednesday, March 29, 2017 2:38 PM
To: Kurt Seifried <kseifried@redhat.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: CVE/CNA coverage

 

You raise a good point that also probably applies to a number of other Sun/Oracle projects with vulnerabilities, like:  Java Mail, JAXB, JMS, JNDI, MySQL.

 

The CVE answer appears to be clear only if you’re talking about the commercially supported versions of these projects.

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

 

Regards,

kw

 

From: Kurt Seifried [mailto:kseifried@redhat.com]
Sent: Wednesday, March 29, 2017 2:25 PM
To: Williams, Ken <Ken.Williams@ca.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE/CNA coverage

 

That is Oracle GlassFish Server which is different than the GlassFish Open Source one (as I understand it), e.g.:

 

 

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <Ken.Williams@ca.com> wrote:

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com



 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: March 30, 2017