Hello Chuck, Thank you for the quick turnaround time on this issue.
Kind regards, Lorenz On 01/09/16 18:46, Wergin, Charles (Assoc) wrote:
Good afternoon, Thank you for contacting the NVD regarding this issue. We have adjusted the attack vectors based on the information you have provided. Based on the CVSSv3 specification and scoring guidance, we feel the metrics for impact are accurate based on the current available information. If you can provide additional publically available information that justifies other changes, we will investigate and perhaps further adjust the score. Respectfully, Chuck Wergin National Vulnerability Database nvd.nist.gov -----Original Message----- From: Lorenz Quack [mailto:[email protected]] Sent: Thursday, September 01, 2016 8:23 AM To: nvd <[email protected]> Cc: [email protected]; [email protected] Subject: Dispute of CVSS Score for CVE-2016-4974 Dear Madam or Sir, I would like to dispute the CVSS score of CVE-2016-4974 [1]. Upon our request the MITRE description [2] was recently changed to more accurately describe the circumstances under which this vulnerability can be exploited. The original description read: Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote attackers to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function. This has been changed in the following way: [...] which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects [...] I can see that this change is already reflected in the NVD database. However, the CVSS severity score has not been adjusted. Our impression is that the current high rating is mainly due to the misunderstanding that this vulnerability could be exploited by a unauthenticated remote attacker which is not correct. To exploit the vulnerability the following conditions need to be met: * The attacker needs authorization to send messages to the target system. * The target application needs to call getObject() on the received JMS message. * The target application needs to have additional exploitable classes (e.g., Apache Commons Collections [3]) on the JVM classpath. For reference, Red Hat's CVVSv3 severity assessment [4] resulted in a score of 5.6, whereas NVD's assessment [1] resulted in a score of 9.8. Please let me know if you require further information to consider changing the CVSS score. Kind regards, Lorenz Quack on behalf of the Apache Qpid Project Management Committee [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974 [3] https://issues.apache.org/jira/browse/COLLECTIONS-580 [4] https://access.redhat.com/security/cve/CVE-2016-4974
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
