Yep. I'd possibly end it with something more like "because we feel that lack of clarity on this point may have lead to over estimation of the severity...<comparison>.." to make the viewpoint clearer.
On 3 August 2016 at 17:08, Lorenz Quack <[email protected]> wrote: > Ok I then propose to change this paragraph of the draft: > The description on the Qpid webpage [3,4] has been updated to > explicitly mention the first bullet point. > > To > The description on the Qpid webpage [3,4] has been updated to > explicitly mention the first bullet point because we are under > the impression that the lack of clarity on this point leads to > a large variance of CVVSv3 Severity assessments (Red Hat [5]: > 5.6 vs. NVD [6]: 9.8) > > [5] https://access.redhat.com/security/cve/CVE-2016-4974 > [6] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974 > > Is this what you had in mind Robbie? > > > > On 03/08/16 16:59, Robbie Gemmell wrote: >> >> I noticed the MITRE page doesnt have a score, I just meant that >> including that detail could serve as a means of elaborating on why the >> change is being suggested and should be made. >> >> On 3 August 2016 at 16:52, Lorenz Quack <[email protected]> wrote: >>> >>> Hi Robbie, >>> >>> Thanks for the feedback. >>> Switching to [email protected] >>> >>> Regarding Mark's Red Hat link, my understanding is that MITRE does not >>> actually assign a score (at least I could not find any on their page) >>> and is only concerned with the description and linking to >>> references. Since the description on the Red Hat page seems to be a >>> verbatim copy of the MITRE description I did not see the point. I >>> will include the Red Hat assessment >>> (https://access.redhat.com/security/cve/CVE-2016-4974 rather than >>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4974) a mail to >>> NVD (after MITRE have updated their description) as evidence that their >>> score is to high. >>> >>> Kind regards, >>> Lorenz >>> >>> >>> >>> On 03/08/16 16:39, Robbie Gemmell wrote: >>>> >>>> I think also referencing third party information per the link Mark >>>> provided to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4974 >>>> would give further reinforcement of the viewpoint that it needs >>>> changing to address overestimation, by showing that others have >>>> actually rated it lower already. >>>> >>>> We could probably take any further discussion on this to the dev list >>>> also, since the actual security issue has already been disclosed and >>>> changes made to address it, and that too could then be referenced >>>> later if needed. >>>> >>>> Robbie >>>> >>>> On 3 August 2016 at 15:12, Lorenz Quack <[email protected]> wrote: >>>>> >>>>> Hello, >>>>> >>>>> As suggested by Mark I updated publicly available information. Namely >>>>> the >>>>> CVE description on [1,2]. >>>>> >>>>> The next step would now be to contact MITRE. Below you will find my >>>>> suggested wording. >>>>> >>>>> Kind Regards, >>>>> >>>>> Lorenz >>>>> >>>>> [1] https://qpid.apache.org/components/jms/security.html >>>>> [2] https://qpid.apache.org/components/jms/security-0-x.html >>>>> >>>>> DRAFT: >>>>> >>>>> Dear Madam or Sir, >>>>> >>>>> I would like to request an update to the vulnerability >>>>> description of CVE-2016-4974 [1]. The current description reads: >>>>> >>>>> Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP >>>>> 1.0) before 0.10.0 does not restrict the use of classes >>>>> available on the classpath, which might allow remote >>>>> attackers to deserialize arbitrary objects and execute >>>>> arbitrary code by leveraging a crafted serialized object in a >>>>> JMS ObjectMessage that is handled by the getObject function. >>>>> >>>>> However, for this vulnerability to be exploited all of the >>>>> following conditions need to be met: >>>>> >>>>> * The attacker needs authorization to send messages to the >>>>> target system. >>>>> >>>>> * The target application needs to call getObject() on the >>>>> received JMS message. >>>>> >>>>> * The target application needs to have additional exploitable >>>>> classes (e.g., Apache Commons Collections [2]) on the JVM >>>>> classpath. >>>>> >>>>> I feel that the MITRE description does not adequately reflect >>>>> these points. >>>>> >>>>> The description on the Qpid webpage [3,4] has been updated to >>>>> explicitly mention the first bullet point. >>>>> >>>>> Please let me know if you require further information to consider >>>>> changing the description. >>>>> >>>>> >>>>> Kind regards, >>>>> >>>>> Lorenz Quack >>>>> on behalf of the Apache Qpid Project Management Committee >>>>> >>>>> >>>>> [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974 >>>>> [2] https://issues.apache.org/jira/browse/COLLECTIONS-580 >>>>> [3] https://qpid.apache.org/components/jms/security.html >>>>> [4] https://qpid.apache.org/components/jms/security-0-x.html >>>>> >>>>> >>>>> >>>>> >>>>> On 25/07/16 10:44, Lorenz Quack wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> it recently came to my attention that CVE-2016-4974 [1] received >>>>>> a CVSS v3 Base Score of 9.8. That seems exaggerated and I >>>>>> believe that this assessment is due to a misunderstanding of the >>>>>> vulnerability. For this vulnerability to be exploited all of the >>>>>> following conditions need to be met >>>>>> >>>>>> * The attacker needs authorization to send messages to the >>>>>> target system. >>>>>> >>>>>> * The target application needs to call getObject() on the >>>>>> received JMS message. >>>>>> >>>>>> * The target application needs to have additional exploitable >>>>>> classes (e.g., Apache Commons Collections [2]) on the JVM >>>>>> classpath. >>>>>> >>>>>> Furthermore, this is the expected behavior of a compliant JMS >>>>>> provider. >>>>>> >>>>>> I feel that neither the description nor the score adequately >>>>>> reflect these points. I think we should consider taking steps to >>>>>> correct the record. NVD's FAQs [3] suggest contacting >>>>>> [email protected] to have the description updated and subsequently >>>>>> contacting NVD to ask them to update their data with reference to >>>>>> the MITRE update. >>>>>> Thoughts? >>>>>> >>>>>> Kind regards, >>>>>> Lorenz >>>>>> >>>>>> [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974 >>>>>> [2] https://issues.apache.org/jira/browse/COLLECTIONS-580 >>>>>> [3] https://nvd.nist.gov/faq >>>>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
