[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-21449 and version reporting
From:       "Seaman, Chad" <cseaman () akamai ! com>
Date:       2022-04-28 14:12:04
Message-ID: 484488E0-D662-4F58-80DB-499DE532FA3B () akamai ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hi All,

Have a question for MITRE, Oracle, and folks here…

https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

"Update 2: Oracle have informed me they are in the process of correcting the advisory \
to state that only versions 15-18 are impacted. The CVE has already been \
updated.<https://nvd.nist.gov/vuln/detail/CVE-2022-21449> Note that 15 and 16 are no \
longer supported, so it will only list 17 and 18 as impacted."

Checking the official CVE listing…

https://nvd.nist.gov/vuln/detail/CVE-2022-21449

It appears this is true, the reported versions in the official CVE listing, only show \
17 and 18, where 15 is also impacted.

In what universe exactly are versions omitted from vulnerability reporting because a \
vendor "no longer supports that version"… this non-supported version is still \
vulnerable?

Are exploit developers expected to check against the version of the vulnerable \
application during their exploit detonation to ensure they're "only infecting \
supported versions?".

Why is this being allowed… this is dangerous for everyone involved save for \
Oracle's own ego or public image?

Scratching my head,
Chad



[prev in list] [next in list] [prev in thread] [next in thread]