I noticed the MITRE page doesnt have a score, I just meant that including that detail could serve as a means of elaborating on why the change is being suggested and should be made.
On 3 August 2016 at 16:52, Lorenz Quack <[email protected]> wrote: > Hi Robbie, > > Thanks for the feedback. > Switching to [email protected] > > Regarding Mark's Red Hat link, my understanding is that MITRE does not > actually assign a score (at least I could not find any on their page) > and is only concerned with the description and linking to > references. Since the description on the Red Hat page seems to be a > verbatim copy of the MITRE description I did not see the point. I > will include the Red Hat assessment > (https://access.redhat.com/security/cve/CVE-2016-4974 rather than > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4974) a mail to > NVD (after MITRE have updated their description) as evidence that their > score is to high. > > Kind regards, > Lorenz > > > > On 03/08/16 16:39, Robbie Gemmell wrote: >> >> I think also referencing third party information per the link Mark >> provided to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4974 >> would give further reinforcement of the viewpoint that it needs >> changing to address overestimation, by showing that others have >> actually rated it lower already. >> >> We could probably take any further discussion on this to the dev list >> also, since the actual security issue has already been disclosed and >> changes made to address it, and that too could then be referenced >> later if needed. >> >> Robbie >> >> On 3 August 2016 at 15:12, Lorenz Quack <[email protected]> wrote: >>> >>> Hello, >>> >>> As suggested by Mark I updated publicly available information. Namely the >>> CVE description on [1,2]. >>> >>> The next step would now be to contact MITRE. Below you will find my >>> suggested wording. >>> >>> Kind Regards, >>> >>> Lorenz >>> >>> [1] https://qpid.apache.org/components/jms/security.html >>> [2] https://qpid.apache.org/components/jms/security-0-x.html >>> >>> DRAFT: >>> >>> Dear Madam or Sir, >>> >>> I would like to request an update to the vulnerability >>> description of CVE-2016-4974 [1]. The current description reads: >>> >>> Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP >>> 1.0) before 0.10.0 does not restrict the use of classes >>> available on the classpath, which might allow remote >>> attackers to deserialize arbitrary objects and execute >>> arbitrary code by leveraging a crafted serialized object in a >>> JMS ObjectMessage that is handled by the getObject function. >>> >>> However, for this vulnerability to be exploited all of the >>> following conditions need to be met: >>> >>> * The attacker needs authorization to send messages to the >>> target system. >>> >>> * The target application needs to call getObject() on the >>> received JMS message. >>> >>> * The target application needs to have additional exploitable >>> classes (e.g., Apache Commons Collections [2]) on the JVM >>> classpath. >>> >>> I feel that the MITRE description does not adequately reflect >>> these points. >>> >>> The description on the Qpid webpage [3,4] has been updated to >>> explicitly mention the first bullet point. >>> >>> Please let me know if you require further information to consider >>> changing the description. >>> >>> >>> Kind regards, >>> >>> Lorenz Quack >>> on behalf of the Apache Qpid Project Management Committee >>> >>> >>> [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974 >>> [2] https://issues.apache.org/jira/browse/COLLECTIONS-580 >>> [3] https://qpid.apache.org/components/jms/security.html >>> [4] https://qpid.apache.org/components/jms/security-0-x.html >>> >>> >>> >>> >>> On 25/07/16 10:44, Lorenz Quack wrote: >>>> >>>> Hi, >>>> >>>> it recently came to my attention that CVE-2016-4974 [1] received >>>> a CVSS v3 Base Score of 9.8. That seems exaggerated and I >>>> believe that this assessment is due to a misunderstanding of the >>>> vulnerability. For this vulnerability to be exploited all of the >>>> following conditions need to be met >>>> >>>> * The attacker needs authorization to send messages to the >>>> target system. >>>> >>>> * The target application needs to call getObject() on the >>>> received JMS message. >>>> >>>> * The target application needs to have additional exploitable >>>> classes (e.g., Apache Commons Collections [2]) on the JVM >>>> classpath. >>>> >>>> Furthermore, this is the expected behavior of a compliant JMS >>>> provider. >>>> >>>> I feel that neither the description nor the score adequately >>>> reflect these points. I think we should consider taking steps to >>>> correct the record. NVD's FAQs [3] suggest contacting >>>> [email protected] to have the description updated and subsequently >>>> contacting NVD to ask them to update their data with reference to >>>> the MITRE update. >>>> Thoughts? >>>> >>>> Kind regards, >>>> Lorenz >>>> >>>> [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974 >>>> [2] https://issues.apache.org/jira/browse/COLLECTIONS-580 >>>> [3] https://nvd.nist.gov/faq >>>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
