[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: upcoming intel issue
Just a note at least one of my emails got bounced by mcafee's system
as spam. Not sure if anyone else's system ate it.
On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas
<Thomas.Millar@hq.dhs.gov> wrote:
> Yes to all that.
>
>
>
> Tom Millar, US-CERT
>
> Sent from +1-202-631-1915
> https://www.us-cert.gov
>
> ________________________________
> From: Coffin, Chris
> Sent: Wednesday, January 03, 2018 11:46:59 PM
> To: Kurt Seifried; Millar, Thomas
> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
> Subject: RE: upcoming intel issue
>
> Agree that this is worthy of a discussion, special handling, and
> probably
> some documented guidelines. One thought is that the CNA should
> identify
> issues that affect other vendors and notify/coordinate where
> appropriate, or
> at the very least contact their parent CNA so that they can share the
> reserved CVE ID and some limited bit of detail.
>
>
>
> It used to be the case that MITRE handled issue like this once public,
> though we have moved away from that in the past few years.
>
>
>
> Regards,
>
>
>
> Chris
>
>
>
>
>
> From: owner-cve-editorial-board-list@lists.mitre.org
> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of
> Kurt
> Seifried
> Sent: Wednesday, January 3, 2018 5:35 PM
> To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>
> Cc: Art Manion <amanion@cert.org>; jericho <jericho@attrition.org>;
> Landfield, Kent <Kent_Landfield@mcafee.com>; cve-editorial-board-list
> <cve-editorial-board-list@lists.mitre.org>
> Subject: Re: upcoming intel issue
>
>
>
> So some challenges with this one:
>
>
>
> 1) it is multiple issues
>
> 2) it affects multiple vendors at the root cause level
>
> 2) it affects multiple vendors with workaround/fix (e.g.... all the
> OSs,
> sigh)
>
>
>
> So yes it is correct to say that these 3 CVE's were from Intel's CNA
> and
> thus "owned" by Intel, but it's clear that literally every OS vendor
> on the
> planet that runs on x86 (and some others...) is going to need to deal
> with
> this, so from that perspective I think one could argue for more
> community
> "ownership" of the CVEs.
>
>
>
> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc,
> lots of
> projects that are used by literally everyone), the best way I
> can/could
> think of to fix this was the JSON format with per vendor/product
> statements
> so everyone can have their own cake on their own table as it were.
>
>
>
> I also know MITRE has poked me in past for high visibility CVEs, and I
> generally agree with this, so perhaps some guidelines should be
> created,
> e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or
> higher and
> more than 10 million affected instances should be high priority, or
> if it
> hits cnn.com AND the BBC AND Reuters... and if the original CNA
> doesn't get
> it in quickly some other CNA is allowed to).
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas
> <Thomas.Millar@hq.dhs.gov>
> wrote:
>
> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org
> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of
> Art
> Manion
> Sent: Wednesday, January 3, 2018 17:51
> To: jericho <jericho@attrition.org>; Landfield, Kent
> <Kent_Landfield@McAfee.com>
> Cc: cve-editorial-board-list
> <cve-editorial-board-list@LISTS.MITRE.ORG>
> Subject: Re: upcoming intel issue
>
> On 1/3/18 5:25 PM, Art Manion wrote:
>
>> So first, what is the vulnerability (or vulnerabilities) -- things
>> that
>> warrant a CVE ID, and second who is responsible for assigning IDs?
>
> https://meltdownattack.com/
>
> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>
> Not immediately populated, so not sure what the distinctions are.
>
> - Art
>
>
>
>
>
> --
>
> Kurt Seifried
> kurt@seifried.org
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com