[Date Prev][ Date Next ][Thread Prev][ Thread Next ][ Date Index ][ Thread Index ]

CVEs listed incorrectly at MITRE as reserved

To : < cve-editorial-board-list@LISTS.MITRE.ORG >
Subject : CVEs listed incorrectly at MITRE as reserved
From : < Kent_Landfield@McAfee.com >
Date : Wed, 14 May 2014 06:13:27 +0000
Accept-Language : en-US
Delivery-Date : Wed May 14 02:14:23 2014
List-Help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-Owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-Subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-Unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
Sender : < owner-cve-editorial-board-list@LISTS.MITRE.ORG >
Thread-Index : AQHPbzue59Cveu8RukuaukNno1MZBg==
Thread-Topic : CVEs listed incorrectly at MITRE as reserved
user-agent : Microsoft-MacOutlook/14.4.1.140326

We seem to have an issue with certain CVEs that are CNA supplied

In the attached spreadsheet is a list of CVEs that are listed as reserved at the MITRE site but in use in the field, seemingly assigned by CNAs,

~ 270 entries out of the 296 CVEs listed by customers are Linux vendor patch advisories.

Reserved CVEs are supposed to be updated to either published state or deleted, but these old CVEs escalated by customer were never processed by MITRE even after the vendors published them long back.

The problem we found with the CVEs from that list are that even if it is marked as reserved the respective vendors have published them in their advisories.

Example #1) CVE-2013-2124:
This is a reserved CVE as per MITRE,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2124

If we do a search and we can find many vendor advisories with details of this CVE,
https://access.redhat.com/security/cve/CVE-2013-2124
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2124.html
http://www.securityfocus.com/bid/60205/info

Example #2) CVE-2013-5122
Reserved CVE as per MITRE
Unable to find, as per NIST
but the vendor Cisco has an advisory for it,
http://tools.cisco.com/security/center/viewAlert.x?alertId=32899

Here is similar discussion on some online forums where people report a list of CVEs that are made public but reserved status and mentions that MITRE has been processing them lately,

http://comments.gmane.org/gmane.comp.security.oss.general/12072

The CVEs are collected from vendor advisory, not from a third party. If we plan to delete them now then we will have to monitor when MITRE is going to publish them in future and will have to add again. Since vendor published patches with CVE references, the chances of MITRE deleting these CVEs are less in our opinion.

Kent Landfield
Director, Standards and Technology Policy
McAfee. Part of Intel Security

+1.817.637.8026

CNA-CVE-Reserved-Mismatch.xlsx

Follow-Ups :
- RE: CVEs listed incorrectly at MITRE as reserved
  - From: "Christey, Steven M." <coley@mitre.org>

Next by Date: RE: CVEs listed incorrectly at MITRE as reserved
Next by thread: RE: CVEs listed incorrectly at MITRE as reserved
Index(es):
- Date
- Thread