Re: Microsoft CNA assignment issues for April

["Adinolfi, Daniel R" <dadinolfi@mitre.org>]

I apologize for the delay in the update. I had it drafted, but I never hit send.

 

We confirmed that CVE-2017-3447 has not been assigned by Oracle. It has been rejected.

 

Microsoft has updated their Security Update Guide <https://portal.msrc.microsoft.com/> such that:

What was 2017-3347 is now ADV170005.

What was 2017-2605 is now ADV170004.

 

We haven't see a response from the folks at Jenkins. But if Red Hat can please send us an update for the CVE entry for CVE-2017-2605 so we can publish it, we can add a note to that entry indicating the error to reduce further confusion.

 

Thanks.

 

-Dan

 

 

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of jericho <jericho@attrition.org>
Date: Wednesday, April 19, 2017 at 20:39
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Microsoft CNA assignment issues for April

 

MITRE,

 

Now that we've had a week to digest this, we have seen dozens of

mainstream news articles use 2017-3447 and 2017-2605 specifically as CVE

identifiers. Has MITRE determined if these are a collision, or if they can

and will be REJECTed in advance?

 

I exchanged several emails with MSRC last week about this, and it

concluded with them saying they would pass along my feedback and

suggestion to use a more distinct ID scheme. Hopefully, we'll see

something different for May.

 

Brian

 

On Tue, 11 Apr 2017, jericho wrote:

 

: All,

:

: Microsoft has assigned a single CVE to cover "all April Adobe Flash updates"

: apparently:

:

: https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments

:

:    April Flash Security Update           2017-3447

:

: Which links to https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447.

:

: Further, there is a single ID to cover "defense-in-depth" updates for a

: product:

:

:    Defense-in-Depth Update for Microsoft Office      2017-2605

:

: Which links to

: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605

:

: I am fairly confident that 2017-3447 is not a proper assignment and does not

: follow the CNA guidelines, about assigning IDs to another vendor's products

: (and that vendor happens to be a CNA themselves). We've seen this done in the

: past with Oracle as well.

:

: I'd also be surprised if a single ID assignment for multiple defense-in-depth

: enhancements meets the criteria of a CVE ID, since DiD enhancements generally

: do not mean there is a crossing of privilege boundaries, and therefore not

: vulnerabilities.

:

: Could Microsoft and MITRE chime in on these please?

:

: Brian

: