[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: Microsoft CNA assignment issues for April

To : CVE Editorial Board < cve-editorial-board-list@lists.mitre.org >
Subject : Re: Microsoft CNA assignment issues for April
From : jericho < jericho@attrition.org >
Date : Wed, 19 Apr 2017 19:39:11 -0500
Authentication-results : spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
Delivery-date : Thu Apr 20 07:46:03 2017
Importance : high
In-reply-to : < alpine.LNX.2.00.1704111328340.19881@forced.attrition.org >
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < alpine.LNX.2.00.1704111328340.19881@forced.attrition.org >
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput : 1:2
User-agent : Alpine 2.00 (LNX 1167 2008-08-23)

MITRE,

Now that we've had a week to digest this, we have seen dozens of
mainstream news articles use 2017-3447 and 2017-2605 specifically as
CVE
identifiers. Has MITRE determined if these are a collision, or if they
can
and will be REJECTed in advance?

I exchanged several emails with MSRC last week about this, and it
concluded with them saying they would pass along my feedback and
suggestion to use a more distinct ID scheme. Hopefully, we'll see
something different for May.

Brian

On Tue, 11 Apr 2017, jericho wrote:

: All,
:
: Microsoft has assigned a single CVE to cover "all April Adobe Flash
updates"
: apparently:
:
:
https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments
:
:    April Flash Security Update        2017-3447
:
: Which links to
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447.
:
: Further, there is a single ID to cover "defense-in-depth" updates for
a
: product:
:
:    Defense-in-Depth Update for Microsoft Office       2017-2605
:
: Which links to
: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605
:
: I am fairly confident that 2017-3447 is not a proper assignment and
does not
: follow the CNA guidelines, about assigning IDs to another vendor's
products
: (and that vendor happens to be a CNA themselves). We've seen this
done in the
: past with Oracle as well.
:
: I'd also be surprised if a single ID assignment for multiple
defense-in-depth
: enhancements meets the criteria of a CVE ID, since DiD enhancements
generally
: do not mean there is a crossing of privilege boundaries, and
therefore not
: vulnerabilities.
:
: Could Microsoft and MITRE chime in on these please?
:
: Brian
:

Follow-Ups :
- Re: Microsoft CNA assignment issues for April
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>

References :
- Microsoft CNA assignment issues for April
  - From: jericho <jericho@attrition.org>

Prev by Date: Mozilla improper CVE assignment, does not conform to CNA rules
Next by Date: CVE scope question
Previous by thread: RE: Microsoft CNA assignment issues for April
Next by thread: Re: Microsoft CNA assignment issues for April
Index(es):
- Date
- Thread