[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Microsoft CNA assignment issues for April

MITRE,

Now that we've had a week to digest this, we have seen dozens of 
mainstream news articles use 2017-3447 and 2017-2605 specifically as 
CVE 
identifiers. Has MITRE determined if these are a collision, or if they 
can 
and will be REJECTed in advance?

I exchanged several emails with MSRC last week about this, and it 
concluded with them saying they would pass along my feedback and 
suggestion to use a more distinct ID scheme. Hopefully, we'll see 
something different for May.

Brian

On Tue, 11 Apr 2017, jericho wrote:

: All,
: 
: Microsoft has assigned a single CVE to cover "all April Adobe Flash 
updates"
: apparently:
: 
: 
https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments
: 
:    April Flash Security Update        2017-3447
: 
: Which links to 
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447.
: 
: Further, there is a single ID to cover "defense-in-depth" updates for 
a
: product:
: 
:    Defense-in-Depth Update for Microsoft Office       2017-2605
: 
: Which links to
: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605
: 
: I am fairly confident that 2017-3447 is not a proper assignment and 
does not
: follow the CNA guidelines, about assigning IDs to another vendor's 
products
: (and that vendor happens to be a CNA themselves). We've seen this 
done in the
: past with Oracle as well.
: 
: I'd also be surprised if a single ID assignment for multiple 
defense-in-depth
: enhancements meets the criteria of a CVE ID, since DiD enhancements 
generally
: do not mean there is a crossing of privilege boundaries, and 
therefore not
: vulnerabilities.
: 
: Could Microsoft and MITRE chime in on these please?
: 
: Brian
:
Page Last Updated or Reviewed: April 20, 2017