CVE Board Meeting summary - 17FEB2021

10:35-10:55: Review of Action items (see attached excel file)

See attached Excel spreadsheet for open actions items from prior meetings (CVE Board Meeting 3Mar21– Agenda and Action items)

    • Record Submission and Upload Service (RSUS): Replace the Github submission service so that CNAs can submit CVE information directly to the database, without the need for manual review
      • Next milestone: When the requirements are reviewed and approved, a development schedule will be produced in next week or so.
    • ID Reservation (IDR) Service update: We have successfully distributed the first wave of the IDR credentials and to date, 59 CNAs (40%) have signed up for IDR, and 98 keys have been distributed. The second wave of credential distribution is underway.
      • CNAs must have the approval of the entity being credited unless the entity has a public article on the Internet that supports the credit
      • The credit text shall not include any text that violates the CVE code of conduct or content policies (e.g., foul language)
      • Jo Bazar (MITRE) was moderator, and the focus of the podcast was MongoDB's internal processes for managing CVEs. MongoDB team was Lena Smart, CISO (Chief Information Security Officer); Chris Sandulow, Deputy CISO; and Boris Sieklik, Director of Product Security
      • Consensus was reached that the presentation is almost ready to move forward. A couple of changes were identified, and a soft copy of the presentation will be provided to the members for review and additional feedback. Discussion will continue at the next SPWG meeting.
    • ENISA aims to procure supporting services to take stock of existing policies and good practices on Coordinated Vulnerability Disclosure (CVD), in the EU Member States and outside the EU, as well as taking stock of the existing national, regional and global vulnerability registers and databases, and the formats, metrics, procedures used in these registers and databases. This tender has two main objectives, 1) Stocktaking of vulnerability disclosure policies and good practices in the EU 2) Stocktaking of global, regional and national vulnerability databases and registers:
    • Kent is actively involved with this request and has attended a couple of meetings along with other Cybersecurity efforts. Kent will provide updates to the Board as the effort moves forward.
    • The group continued their discussion about the docker container issue that was brought to MITRE's attention by Jerry Gamblin, who documented his complaints in a blog: https://jerrygamblin.com/2020/12/17/cve-stuffing/
      1. Description of issue: Insecure defaults configuration for the admin password. The issue occurs because the base docker image was configured incorrect, and is used by other people, creating their own docker image.
          • The rules intentionally use the vague term "product" so that it can cover “standards, application programming interfaces (APIs), and protocols.”
          • Docker images are not explicitly enumerated but could fall within the term "product."
          • Yes, there is significant utility in doing so, if the affected virtual images can be identified accurately. For example, virtual images can include code not distributed by other means.
      1. Should insecure default configuration (e.g., default password for the admin user) be considered a vulnerability?
          • Slippery slope – Requires the assigner to determine what the security model is when there are often multiple interpretations.
          • For some products (e.g., Docker containers), users have expectations that the product is secure out of the box.
          • It is not clear whether insecure defaults should be considered "code" for the purposes of 7.2.4a of the CNA Rules
          • 7.2.5a of the CNA Rules says that each instance should be given a separate ID because there is a secure method of using the functionality
          • The security models for the upstream and downstream products are different. What is a vuln. in one may not be in the other so they need separate IDs
          • Images (and SaaS?) have different security models than traditional software so they should have their own exception in 7.2.5.
    • The group agreed that additional information was needed. MITRE will review current CVE ID assignments for default configurations and report findings to the Board.
    • The group reviewed the CVE Program Name poll results. The CVE Program poll was sent to the CNA Discussion list with 70 CNAs responding to the poll. The poll included the following four questions:
      1. What is the impact to change the CVE name to your business? 70% said no impact and 9% said it would impact their business.
    • The group requested the Secretariat initiate a Vote about deemphasizing the whole name internally (within the CVE Program) moving towards just using CVE.

§The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ().



Previous Email: CVE Board

February 2021 Email Index