FYI,
I have
added this issue to the "Suggested Rules Changes" document
in GitHub.
https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/Suggested%20Rules%20Changes
This
document can be edited by anyone, so if you have other ideas
for rules changes, or want to comment on what is already
there, please do so.
Thanks.
-Dan
Kurt,
It’s not clear
to me whether Oracle would consider this within their scope.
FYI… a quick search doesn’t find any previous CVEs for
GlassFish Open Server. I think the safest thing to do is to
redirect them to Oracle. In the meantime, we will also send
a note to Oracle about the issue. We will also ask the
question as to whether all “Sponsored” products should be
considered within the scope of Oracle, or if there would be
exceptions. If there are exceptions then I would agree, we
need to push for lists that provide CNA scope information or
all CNAs.
Should we
consider this a discussion point for becoming a CNA Rule?
For example, a rule that states a CNA must provide a page on
their web site which lists the products for which they
accept vulnerability reports.
Chris
You raise a
good point that also probably applies to a number of other
Sun/Oracle projects with vulnerabilities, like: Java Mail,
JAXB, JMS, JNDI, MySQL.
The CVE answer
appears to be clear only if you’re talking about the
commercially supported versions of these projects.
https://www.oracle.com/technetwork/topics/security/alerts-086861.html
Regards,
kw
That is Oracle
GlassFish Server which is different than the GlassFish
Open Source one (as I understand it), e.g.:
On Wed, Mar
29, 2017 at 1:19 PM, Williams, Ken <
Ken.Williams@ca.com
>
wrote:
They’ve
previously issued CVE identifiers for it.
Ex.
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW
Regards,
kw
So
somebody asked for a CVE for Glassfish
open server
Project
sponsored by Oracle. Traditionally I've
taken the "sponsored by" to mean quasi
who "owns" it (e.g. a lot of Red Hat
sponsored stuff that we do CVEs for
because we're heavily involved). By that
logic this would make this open source
project fall into Oracle's space, so I
guess my question is:
Does
Oracle want this project to fall within
their CNA/coverage, or do they consider
"sponsored by" to be more arms length
perhaps?
If
Oracle doesn't want to be the CNA for
it, then the DWF would be the next in
line (being Open Source), If Oracle does
want to be the CNA I'll redirect the
request to them.
And
in general should we apply this logic? I
think one thing that would help here is
having the CNAs declare explicitly what
they cover where possible so reporters
don't have to guess/hunt.
--
Kurt Seifried -- Red Hat --
Product Security -- Cloud
PGP A90B F995 7350 148F 66BF
7554 160D 4553 5E26 7993
Red Hat Product Security
contact:
secalert@redhat.com
--
Kurt Seifried -- Red Hat -- Product Security
-- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553
5E26 7993
Red Hat Product Security contact:
secalert@redhat.com
