[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: CVE for services - already done? CVE-2017-10128

To : "Millar, Thomas" < Thomas.Millar@hq.dhs.gov >, Kurt Seifried < kurt@seifried.org >, cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >, "Andy Balinsky (balinsky)" < balinsky@cisco.com >
Subject : RE: CVE for services - already done? CVE-2017-10128
From : "Coffin, Chris" < ccoffin@mitre.org >
Date : Thu, 19 Oct 2017 13:11:14 +0000
Accept-language : en-US
Authentication-results : spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Delivery-date : Thu Oct 19 13:44:32 2017
In-reply-to : <7748E4BAEC3B964387F3535351DCBA1F01153F4719@D2ASEPREA010>
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < CABqVa3-k3+6U4RdCSBVvAagE5Jiw9xXnbZqj0BcS3XUN_BECcQ@mail.gmail.com > <7748E4BAEC3B964387F3535351DCBA1F01153F4719@D2ASEPREA010>
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput : 1:2
Thread-index : AQHTSFKv2nY2X0iCR02Wg0KkcbF9y6LqKh4AgAD6u6A=
Thread-topic : CVE for services - already done? CVE-2017-10128

Agreed.

However, based on the discussion we had on the Board call yesterday regarding CVEs for services, we should first reach out to our contact at Oracle and see what their thoughts are on this. It would appear that they also see value in assigning for services or at least in what they consider to be edge cases.

Chris

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Millar, Thomas
Sent: Wednesday, October 18, 2017 5:07 PM
To: Kurt Seifried <kurt@seifried.org>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>; Andy Balinsky (balinsky) <balinsky@cisco.com>
Subject: RE: CVE for services - already done? CVE-2017-10128

It reads to me like there is an app that resides on systems in the hotel offices, and that’s where the vulnerability is, so an action by the local admin is needed to address.

Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried
Sent: Wednesday, October 18, 2017 9:47:45 PM
To: cve-editorial-board-list; Andy Balinsky (balinsky)
Subject: CVE for services - already done? CVE-2017-10128

Vulnerability in the Hospitality WebSuite8 Cloud Service component of Oracle Hospitality Applications (subcomponent: General). Supported versions that are affected are 8.9.6 and 8.10.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Hospitality WebSuite8 Cloud Service. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Hospitality WebSuite8 Cloud Service, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Hospitality WebSuite8 Cloud Service accessible data as well as unauthorized read access to a subset of Hospitality WebSuite8 Cloud Service accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

https://www.oracle.com/industries/hospitality/products/websuite8.html

Oracle Hospitality WebSuite8 is cloud-based hotel software designed for small hotels and guest and boarding houses. The solution enables efficient guest and room management while increasing online revenue through an integrated booking engine and channel manager solution. This product is available in the EMEA and JAPAC regions only.

So I guess we're doing cloud services now =) or should this be rejected, or?

Kurt Seifried
kurt@seifried.org

References :
- CVE for services - already done? CVE-2017-10128
  - From: Kurt Seifried <kurt@seifried.org>
- RE: CVE for services - already done? CVE-2017-10128
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>

Prev by Date: RE: CVE for services - already done? CVE-2017-10128
Next by Date: article on NVD and CNNVD
Previous by thread: RE: CVE for services - already done? CVE-2017-10128
Next by thread: article on NVD and CNNVD
Index(es):
- Date
- Thread