CVE/CNA coverage

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE/CNA coverage

Kurt Seifried
So somebody asked for a CVE for Glassfish open server


Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CVE/CNA coverage

Williams, Ken

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CVE/CNA coverage

Kurt Seifried
Ah then I guess that answers my question pretty clearly, I'll redirect the requestor.  Thanks!

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <[hidden email]> wrote:

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]




--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CVE/CNA coverage

Kurt Seifried
In reply to this post by Williams, Ken
That is Oracle GlassFish Server which is different than the GlassFish Open Source one (as I understand it), e.g.:


On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <[hidden email]> wrote:

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]




--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CVE/CNA coverage

Williams, Ken

You raise a good point that also probably applies to a number of other Sun/Oracle projects with vulnerabilities, like:  Java Mail, JAXB, JMS, JNDI, MySQL.

 

The CVE answer appears to be clear only if you’re talking about the commercially supported versions of these projects.

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

 

Regards,

kw

 

From: Kurt Seifried [mailto:[hidden email]]
Sent: Wednesday, March 29, 2017 2:25 PM
To: Williams, Ken <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: CVE/CNA coverage

 

That is Oracle GlassFish Server which is different than the GlassFish Open Source one (as I understand it), e.g.:

 

 

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <[hidden email]> wrote:

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]



 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CVE/CNA coverage

Kurt Seifried-2
In reply to this post by Kurt Seifried
Sorry, I was on my phone, I meant to delete that draft but instead I sent it (I had drafted it but then double checked the product name).

On Wed, Mar 29, 2017 at 1:20 PM, Kurt Seifried <[hidden email]> wrote:
Ah then I guess that answers my question pretty clearly, I'll redirect the requestor.  Thanks!

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <[hidden email]> wrote:

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]




--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CVE/CNA coverage

Coffin, Chris
In reply to this post by Williams, Ken

Kurt,

 

It’s not clear to me whether Oracle would consider this within their scope. FYI… a quick search doesn’t find any previous CVEs for GlassFish Open Server. I think the safest thing to do is to redirect them to Oracle. In the meantime, we will also send a note to Oracle about the issue. We will also ask the question as to whether all “Sponsored” products should be considered within the scope of Oracle, or if there would be exceptions. If there are exceptions then I would agree, we need to push for lists that provide CNA scope information or all CNAs.

 

Should we consider this a discussion point for becoming a CNA Rule? For example, a rule that states a CNA must provide a page on their web site which lists the products for which they accept vulnerability reports.

 

Chris

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Williams, Ken
Sent: Wednesday, March 29, 2017 2:38 PM
To: Kurt Seifried <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: RE: CVE/CNA coverage

 

You raise a good point that also probably applies to a number of other Sun/Oracle projects with vulnerabilities, like:  Java Mail, JAXB, JMS, JNDI, MySQL.

 

The CVE answer appears to be clear only if you’re talking about the commercially supported versions of these projects.

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

 

Regards,

kw

 

From: Kurt Seifried [[hidden email]]
Sent: Wednesday, March 29, 2017 2:25 PM
To: Williams, Ken <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: CVE/CNA coverage

 

That is Oracle GlassFish Server which is different than the GlassFish Open Source one (as I understand it), e.g.:

 

 

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <[hidden email]> wrote:

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]



 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CVE/CNA coverage

Adinolfi, Daniel R

FYI,

 

I have added this issue to the "Suggested Rules Changes" document in GitHub.

 

https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/Suggested%20Rules%20Changes

 

This document can be edited by anyone, so if you have other ideas for rules changes, or want to comment on what is already there, please do so.

 

Thanks.

 

-Dan

 

From: <[hidden email]> on behalf of "Coffin, Chris" <[hidden email]>
Date: Thursday, March 30, 2017 at 10:13
To: "Williams, Ken" <[hidden email]>, Kurt Seifried <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: RE: CVE/CNA coverage

 

Kurt,

 

It’s not clear to me whether Oracle would consider this within their scope. FYI… a quick search doesn’t find any previous CVEs for GlassFish Open Server. I think the safest thing to do is to redirect them to Oracle. In the meantime, we will also send a note to Oracle about the issue. We will also ask the question as to whether all “Sponsored” products should be considered within the scope of Oracle, or if there would be exceptions. If there are exceptions then I would agree, we need to push for lists that provide CNA scope information or all CNAs.

 

Should we consider this a discussion point for becoming a CNA Rule? For example, a rule that states a CNA must provide a page on their web site which lists the products for which they accept vulnerability reports.

 

Chris

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Williams, Ken
Sent: Wednesday, March 29, 2017 2:38 PM
To: Kurt Seifried <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: RE: CVE/CNA coverage

 

You raise a good point that also probably applies to a number of other Sun/Oracle projects with vulnerabilities, like:  Java Mail, JAXB, JMS, JNDI, MySQL.

 

The CVE answer appears to be clear only if you’re talking about the commercially supported versions of these projects.

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

 

Regards,

kw

 

From: Kurt Seifried [[hidden email]]
Sent: Wednesday, March 29, 2017 2:25 PM
To: Williams, Ken <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: CVE/CNA coverage

 

That is Oracle GlassFish Server which is different than the GlassFish Open Source one (as I understand it), e.g.:

 

 

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <[hidden email]> wrote:

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]



 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CVE/CNA coverage

Kurt Seifried

Closing email loop, it turned out they had asked Oracle, Oracle declined, DWF ended up assigning them.


On 2017-03-30 8:42 AM, Adinolfi, Daniel R wrote:

FYI,

 

I have added this issue to the "Suggested Rules Changes" document in GitHub.

 

https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/Suggested%20Rules%20Changes

 

This document can be edited by anyone, so if you have other ideas for rules changes, or want to comment on what is already there, please do so.

 

Thanks.

 

-Dan

 

From: [hidden email] on behalf of "Coffin, Chris" [hidden email]
Date: Thursday, March 30, 2017 at 10:13
To: "Williams, Ken" [hidden email], Kurt Seifried [hidden email]
Cc: cve-editorial-board-list [hidden email]
Subject: RE: CVE/CNA coverage

 

Kurt,

 

It’s not clear to me whether Oracle would consider this within their scope. FYI… a quick search doesn’t find any previous CVEs for GlassFish Open Server. I think the safest thing to do is to redirect them to Oracle. In the meantime, we will also send a note to Oracle about the issue. We will also ask the question as to whether all “Sponsored” products should be considered within the scope of Oracle, or if there would be exceptions. If there are exceptions then I would agree, we need to push for lists that provide CNA scope information or all CNAs.

 

Should we consider this a discussion point for becoming a CNA Rule? For example, a rule that states a CNA must provide a page on their web site which lists the products for which they accept vulnerability reports.

 

Chris

 

From: [hidden email] [[hidden email]] On Behalf Of Williams, Ken
Sent: Wednesday, March 29, 2017 2:38 PM
To: Kurt Seifried [hidden email]
Cc: cve-editorial-board-list [hidden email]
Subject: RE: CVE/CNA coverage

 

You raise a good point that also probably applies to a number of other Sun/Oracle projects with vulnerabilities, like:  Java Mail, JAXB, JMS, JNDI, MySQL.

 

The CVE answer appears to be clear only if you’re talking about the commercially supported versions of these projects.

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

 

Regards,

kw

 

From: Kurt Seifried [[hidden email]]
Sent: Wednesday, March 29, 2017 2:25 PM
To: Williams, Ken <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: CVE/CNA coverage

 

That is Oracle GlassFish Server which is different than the GlassFish Open Source one (as I understand it), e.g.:

 

 

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <[hidden email]> wrote:

They’ve previously issued CVE identifiers for it.

 

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <[hidden email]>
Subject: CVE/CNA coverage

 

So somebody asked for a CVE for Glassfish open server

 

 

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

 

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

 

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them. 

 

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt. 

 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]



 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]