+1 to the suggested draft to MITRE. On 3 August 2016 at 16:59, Robbie Gemmell <[email protected]> wrote: > I noticed the MITRE page doesnt have a score, I just meant that > including that detail could serve as a means of elaborating on why the > change is being suggested and should be made. > > On 3 August 2016 at 16:52, Lorenz Quack <[email protected]> wrote: >> Hi Robbie, >> >> Thanks for the feedback. >> Switching to [email protected] >> >> Regarding Mark's Red Hat link, my understanding is that MITRE does not >> actually assign a score (at least I could not find any on their page) >> and is only concerned with the description and linking to >> references. Since the description on the Red Hat page seems to be a >> verbatim copy of the MITRE description I did not see the point. I >> will include the Red Hat assessment >> (https://access.redhat.com/security/cve/CVE-2016-4974 rather than >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4974) a mail to >> NVD (after MITRE have updated their description) as evidence that their >> score is to high. >> >> Kind regards, >> Lorenz >> >> >> >> On 03/08/16 16:39, Robbie Gemmell wrote: >>> >>> I think also referencing third party information per the link Mark >>> provided to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4974 >>> would give further reinforcement of the viewpoint that it needs >>> changing to address overestimation, by showing that others have >>> actually rated it lower already. >>> >>> We could probably take any further discussion on this to the dev list >>> also, since the actual security issue has already been disclosed and >>> changes made to address it, and that too could then be referenced >>> later if needed. >>> >>> Robbie >>> >>> On 3 August 2016 at 15:12, Lorenz Quack <[email protected]> wrote: >>>> >>>> Hello, >>>> >>>> As suggested by Mark I updated publicly available information. Namely the >>>> CVE description on [1,2]. >>>> >>>> The next step would now be to contact MITRE. Below you will find my >>>> suggested wording. >>>> >>>> Kind Regards, >>>> >>>> Lorenz >>>> >>>> [1] https://qpid.apache.org/components/jms/security.html >>>> [2] https://qpid.apache.org/components/jms/security-0-x.html >>>> >>>> DRAFT: >>>> >>>> Dear Madam or Sir, >>>> >>>> I would like to request an update to the vulnerability >>>> description of CVE-2016-4974 [1]. The current description reads: >>>> >>>> Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP >>>> 1.0) before 0.10.0 does not restrict the use of classes >>>> available on the classpath, which might allow remote >>>> attackers to deserialize arbitrary objects and execute >>>> arbitrary code by leveraging a crafted serialized object in a >>>> JMS ObjectMessage that is handled by the getObject function. >>>> >>>> However, for this vulnerability to be exploited all of the >>>> following conditions need to be met: >>>> >>>> * The attacker needs authorization to send messages to the >>>> target system. >>>> >>>> * The target application needs to call getObject() on the >>>> received JMS message. >>>> >>>> * The target application needs to have additional exploitable >>>> classes (e.g., Apache Commons Collections [2]) on the JVM >>>> classpath. >>>> >>>> I feel that the MITRE description does not adequately reflect >>>> these points. >>>> >>>> The description on the Qpid webpage [3,4] has been updated to >>>> explicitly mention the first bullet point. >>>> >>>> Please let me know if you require further information to consider >>>> changing the description. >>>> >>>> >>>> Kind regards, >>>> >>>> Lorenz Quack >>>> on behalf of the Apache Qpid Project Management Committee >>>> >>>> >>>> [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974 >>>> [2] https://issues.apache.org/jira/browse/COLLECTIONS-580 >>>> [3] https://qpid.apache.org/components/jms/security.html >>>> [4] https://qpid.apache.org/components/jms/security-0-x.html >>>> >>>> >>>> >>>> >>>> On 25/07/16 10:44, Lorenz Quack wrote: >>>>> >>>>> Hi, >>>>> >>>>> it recently came to my attention that CVE-2016-4974 [1] received >>>>> a CVSS v3 Base Score of 9.8. That seems exaggerated and I >>>>> believe that this assessment is due to a misunderstanding of the >>>>> vulnerability. For this vulnerability to be exploited all of the >>>>> following conditions need to be met >>>>> >>>>> * The attacker needs authorization to send messages to the >>>>> target system. >>>>> >>>>> * The target application needs to call getObject() on the >>>>> received JMS message. >>>>> >>>>> * The target application needs to have additional exploitable >>>>> classes (e.g., Apache Commons Collections [2]) on the JVM >>>>> classpath. >>>>> >>>>> Furthermore, this is the expected behavior of a compliant JMS >>>>> provider. >>>>> >>>>> I feel that neither the description nor the score adequately >>>>> reflect these points. I think we should consider taking steps to >>>>> correct the record. NVD's FAQs [3] suggest contacting >>>>> [email protected] to have the description updated and subsequently >>>>> contacting NVD to ask them to update their data with reference to >>>>> the MITRE update. >>>>> Thoughts? >>>>> >>>>> Kind regards, >>>>> Lorenz >>>>> >>>>> [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974 >>>>> [2] https://issues.apache.org/jira/browse/COLLECTIONS-580 >>>>> [3] https://nvd.nist.gov/faq >>>>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
