Lorenz, The suggested text looks reasonable to me and meets the requirements of NIST's FAQ entry "I would like to dispute the score of a vulnerability. What should I do?" https://nvd.nist.gov/faq#440bb045-9d20-4e17-b463-8d45ff555ef1
cheers Keith On 31 August 2016 at 13:19, Lorenz Quack <[email protected]> wrote: > Hello Qpid-Dev, > > Context: > As you might be aware, the recent Qpid vulnerability CVE-2016-4974 > received a very high severity rating of 9.8 by NIST. We feel that > this was unjustified and are in the process of getting this > adjusted. The first step, getting MITRE to change the description > was completed. > > Now that MITRE has changed the description of CVE-2016-4974 I am > going to request that NIST re-evaluate the severity of the issue. > Please find below a draft of that request. > > After a ready for comments period of 24h I will send this to NIST. > > Kind regards, > Lorenz > > > DRAFT: > > Dear Madam or Sir, > > I would like to dispute the CVSS score of CVE-2016-4974 [1]. > > Upon our request the MITRE description [2] was recently changed > to more accurately describe the circumstances under which this > vulnerability can be exploited. The original description read: > > Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP > 1.0) before 0.10.0 does not restrict the use of classes > available on the classpath, which might allow remote > attackers to deserialize arbitrary objects and execute > arbitrary code by leveraging a crafted serialized object in a > JMS ObjectMessage that is handled by the getObject function. > > This has been changed in the following way: > > [...] which might allow remote authenticated users with > permission to send messages to deserialize arbitrary objects > [...] > > I can see that this change is already reflected in the NVD > database. However, the CVSS severity score has not been > adjusted. > > Our impression is that the current high rating is mainly due to > the misunderstanding that this vulnerability could be exploited > by a unauthenticated remote attacker which is not correct. To > exploit the vulnerability the following conditions need to be > met: > > * The attacker needs authorization to send messages to the > target system. > > * The target application needs to call getObject() on the > received JMS message. > > * The target application needs to have additional exploitable > classes (e.g., Apache Commons Collections [3]) on the JVM > classpath. > > For reference, Red Hat's CVVSv3 severity assessment [4] resulted > in a score of 5.6, whereas NVD's assessment [1] resulted in a > score of 9.8. > > Please let me know if you require further information to consider > changing the CVSS score. > > > Kind regards, > > Lorenz Quack > on behalf of the Apache Qpid Project Management Committee > > > [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974 > [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974 > [3] https://issues.apache.org/jira/browse/COLLECTIONS-580 > [4] https://access.redhat.com/security/cve/CVE-2016-4974 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
