[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: Microsoft CNA assignment issues for April

To : cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Subject : Re: Microsoft CNA assignment issues for April
From : "Adinolfi, Daniel R" < dadinolfi@mitre.org >
Date : Thu, 20 Apr 2017 18:02:03 +0000
Accept-language : en-US
Authentication-results : spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Delivery-date : Thu Apr 20 14:44:31 2017
In-reply-to : < alpine.LNX.2.00.1704191937100.32256@forced.attrition.org >
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < alpine.LNX.2.00.1704111328340.19881@forced.attrition.org > < alpine.LNX.2.00.1704191937100.32256@forced.attrition.org >
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput : 1:2
Thread-index : AQHSsvP6QpticNx7sE2ycK+h+17KsqHNdyaAgADgUAA=
Thread-topic : Microsoft CNA assignment issues for April
User-agent : Microsoft-MacOutlook/f.21.0.170409

I apologize for the delay in the update. I had it drafted, but I never hit send.

We confirmed that CVE-2017-3447 has not been assigned by Oracle. It has been rejected.

Microsoft has updated their Security Update Guide < https://portal.msrc.microsoft.com/ > such that:

What was 2017-3347 is now ADV170005.

What was 2017-2605 is now ADV170004.

We haven't see a response from the folks at Jenkins. But if Red Hat can please send us an update for the CVE entry for CVE-2017-2605 so we can publish it, we can add a note to that entry indicating the error to reduce further confusion.

Thanks.

-Dan

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of jericho <jericho@attrition.org>
Date: Wednesday, April 19, 2017 at 20:39
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Microsoft CNA assignment issues for April

MITRE,

Now that we've had a week to digest this, we have seen dozens of

mainstream news articles use 2017-3447 and 2017-2605 specifically as CVE

identifiers. Has MITRE determined if these are a collision, or if they can

and will be REJECTed in advance?

I exchanged several emails with MSRC last week about this, and it

concluded with them saying they would pass along my feedback and

suggestion to use a more distinct ID scheme. Hopefully, we'll see

something different for May.

Brian

On Tue, 11 Apr 2017, jericho wrote:

: All,

: Microsoft has assigned a single CVE to cover "all April Adobe Flash updates"

: apparently:

: https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments

: April Flash Security Update 2017-3447

: Which links to https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447 .

: Further, there is a single ID to cover "defense-in-depth" updates for a

: product:

: Defense-in-Depth Update for Microsoft Office 2017-2605

: Which links to

: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605

: I am fairly confident that 2017-3447 is not a proper assignment and does not

: follow the CNA guidelines, about assigning IDs to another vendor's products

: (and that vendor happens to be a CNA themselves). We've seen this done in the

: past with Oracle as well.

: I'd also be surprised if a single ID assignment for multiple defense-in-depth

: enhancements meets the criteria of a CVE ID, since DiD enhancements generally

: do not mean there is a crossing of privilege boundaries, and therefore not

: vulnerabilities.

: Could Microsoft and MITRE chime in on these please?

: Brian

References :
- Microsoft CNA assignment issues for April
  - From: jericho <jericho@attrition.org>
- Re: Microsoft CNA assignment issues for April
  - From: jericho <jericho@attrition.org>

Prev by Date: Re: MITRE can now accept CVE ID publication notifications formatted in JSON
Next by Date: Re: Mozilla improper CVE assignment, does not conform to CNA rules
Previous by thread: Re: Microsoft CNA assignment issues for April
Next by thread: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
Index(es):
- Date
- Thread