Ok I then propose to change this paragraph of the draft:
The description on the Qpid webpage [3,4] has been updated to
explicitly mention the first bullet point.
To
The description on the Qpid webpage [3,4] has been updated to
explicitly mention the first bullet point because we are under
the impression that the lack of clarity on this point leads to
a large variance of CVVSv3 Severity assessments (Red Hat [5]:
5.6 vs. NVD [6]: 9.8)
[5] https://access.redhat.com/security/cve/CVE-2016-4974
[6] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974
Is this what you had in mind Robbie?
On 03/08/16 16:59, Robbie Gemmell wrote:
I noticed the MITRE page doesnt have a score, I just meant that
including that detail could serve as a means of elaborating on why the
change is being suggested and should be made.
On 3 August 2016 at 16:52, Lorenz Quack <[email protected]> wrote:
Hi Robbie,
Thanks for the feedback.
Switching to [email protected]
Regarding Mark's Red Hat link, my understanding is that MITRE does not
actually assign a score (at least I could not find any on their page)
and is only concerned with the description and linking to
references. Since the description on the Red Hat page seems to be a
verbatim copy of the MITRE description I did not see the point. I
will include the Red Hat assessment
(https://access.redhat.com/security/cve/CVE-2016-4974 rather than
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4974) a mail to
NVD (after MITRE have updated their description) as evidence that their
score is to high.
Kind regards,
Lorenz
On 03/08/16 16:39, Robbie Gemmell wrote:
I think also referencing third party information per the link Mark
provided to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4974
would give further reinforcement of the viewpoint that it needs
changing to address overestimation, by showing that others have
actually rated it lower already.
We could probably take any further discussion on this to the dev list
also, since the actual security issue has already been disclosed and
changes made to address it, and that too could then be referenced
later if needed.
Robbie
On 3 August 2016 at 15:12, Lorenz Quack <[email protected]> wrote:
Hello,
As suggested by Mark I updated publicly available information. Namely the
CVE description on [1,2].
The next step would now be to contact MITRE. Below you will find my
suggested wording.
Kind Regards,
Lorenz
[1] https://qpid.apache.org/components/jms/security.html
[2] https://qpid.apache.org/components/jms/security-0-x.html
DRAFT:
Dear Madam or Sir,
I would like to request an update to the vulnerability
description of CVE-2016-4974 [1]. The current description reads:
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP
1.0) before 0.10.0 does not restrict the use of classes
available on the classpath, which might allow remote
attackers to deserialize arbitrary objects and execute
arbitrary code by leveraging a crafted serialized object in a
JMS ObjectMessage that is handled by the getObject function.
However, for this vulnerability to be exploited all of the
following conditions need to be met:
* The attacker needs authorization to send messages to the
target system.
* The target application needs to call getObject() on the
received JMS message.
* The target application needs to have additional exploitable
classes (e.g., Apache Commons Collections [2]) on the JVM
classpath.
I feel that the MITRE description does not adequately reflect
these points.
The description on the Qpid webpage [3,4] has been updated to
explicitly mention the first bullet point.
Please let me know if you require further information to consider
changing the description.
Kind regards,
Lorenz Quack
on behalf of the Apache Qpid Project Management Committee
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974
[2] https://issues.apache.org/jira/browse/COLLECTIONS-580
[3] https://qpid.apache.org/components/jms/security.html
[4] https://qpid.apache.org/components/jms/security-0-x.html
On 25/07/16 10:44, Lorenz Quack wrote:
Hi,
it recently came to my attention that CVE-2016-4974 [1] received
a CVSS v3 Base Score of 9.8. That seems exaggerated and I
believe that this assessment is due to a misunderstanding of the
vulnerability. For this vulnerability to be exploited all of the
following conditions need to be met
* The attacker needs authorization to send messages to the
target system.
* The target application needs to call getObject() on the
received JMS message.
* The target application needs to have additional exploitable
classes (e.g., Apache Commons Collections [2]) on the JVM
classpath.
Furthermore, this is the expected behavior of a compliant JMS
provider.
I feel that neither the description nor the score adequately
reflect these points. I think we should consider taking steps to
correct the record. NVD's FAQs [3] suggest contacting
[email protected] to have the description updated and subsequently
contacting NVD to ask them to update their data with reference to
the MITRE update.
Thoughts?
Kind regards,
Lorenz
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974
[2] https://issues.apache.org/jira/browse/COLLECTIONS-580
[3] https://nvd.nist.gov/faq
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
