Hello Qpid-Dev,
Context:
As you might be aware, the recent Qpid vulnerability CVE-2016-4974
received a very high severity rating of 9.8 by NIST. We feel that
this was unjustified and are in the process of getting this
adjusted. The first step, getting MITRE to change the description
was completed.
Now that MITRE has changed the description of CVE-2016-4974 I am
going to request that NIST re-evaluate the severity of the issue.
Please find below a draft of that request.
After a ready for comments period of 24h I will send this to NIST.
Kind regards,
Lorenz
DRAFT:
Dear Madam or Sir,
I would like to dispute the CVSS score of CVE-2016-4974 [1].
Upon our request the MITRE description [2] was recently changed
to more accurately describe the circumstances under which this
vulnerability can be exploited. The original description read:
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP
1.0) before 0.10.0 does not restrict the use of classes
available on the classpath, which might allow remote
attackers to deserialize arbitrary objects and execute
arbitrary code by leveraging a crafted serialized object in a
JMS ObjectMessage that is handled by the getObject function.
This has been changed in the following way:
[...] which might allow remote authenticated users with
permission to send messages to deserialize arbitrary objects
[...]
I can see that this change is already reflected in the NVD
database. However, the CVSS severity score has not been
adjusted.
Our impression is that the current high rating is mainly due to
the misunderstanding that this vulnerability could be exploited
by a unauthenticated remote attacker which is not correct. To
exploit the vulnerability the following conditions need to be
met:
* The attacker needs authorization to send messages to the
target system.
* The target application needs to call getObject() on the
received JMS message.
* The target application needs to have additional exploitable
classes (e.g., Apache Commons Collections [3]) on the JVM
classpath.
For reference, Red Hat's CVVSv3 severity assessment [4] resulted
in a score of 5.6, whereas NVD's assessment [1] resulted in a
score of 9.8.
Please let me know if you require further information to consider
changing the CVSS score.
Kind regards,
Lorenz Quack
on behalf of the Apache Qpid Project Management Committee
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974
[3] https://issues.apache.org/jira/browse/COLLECTIONS-580
[4] https://access.redhat.com/security/cve/CVE-2016-4974
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
