'=?utf-8?q?Re=3A?==?utf-8?q?_=5Boss-security=5D?= CVE-2022-21449 and version reporting'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    =?utf-8?q?Re=3A?==?utf-8?q?_=5Boss-security=5D?= CVE-2022-21449 and version  reporting
From:       "Christian Fischer" <christian.fischer () greenbone ! net>
Date:       2022-04-30 19:09:16
Message-ID: 24e8-626d8980-3-6d44cb00 () 230483808
[Download RAW message or body]

On Saturday, April 30, 2022 17:38 CEST, John Helmert III <ajak@gentoo.org> wrote:

> On Sat, Apr 30, 2022 at 01:24:36PM +0200, Christian Fischer wrote:
> > > It's not that they didn't/can't verify, it's already verified,
> > they're claiming those versions no longer being officially supported
> > means they can seemingly omit them from CVE reporting.
> > > 
> > > Which is dangerous, misleading, and nonsensical.
> > 
> > While i fully agree with this be aware that CVE entries could generally
> > contain incomplete information:
> > 
> > After requesting an update of a CVE entry via the MITRE CVE forum in the
> > past to add additional affected products for a different vendor (which
> > wasn't even the assigning CNA like it is the case for Oracle here) my
> > request was rejected by MITRE with the following rationale given:
> 
> The CNA that assigned that CVE is Oracle, so Oracle is the CNA to talk
> to to make changes to it. MITRE won't make changes to it as they're
> not the CNA behind that CVE.
> 
> > > A CVE description does not necessarily contain all the affected 
> > products or versions and is not part of CVE ID requirements. The
> > products are documented in the CVE references.
> > This is also matching my experiences with various other products / 
> > vendors and related CVE entries for these.
> 
> Right, this is documented in the CNA rules [1]:
> 
> "8.2.1 MUST provide enough information for a reader to have a
> reasonable understanding of what products are affected. If the
> affected products are not explicitly listed in the description, then
> the CNA MUST provide a reference that points to the known affected
> products."
> 
> [1] https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8-2_cve_record_prose_description_requirements
> 

Yes, indeed / in know (since then) but it wasn't clear if all participants in this thread are \
aware of this fact.

But i just have noticed that my posting was only partly relevant for the quoted message and the \
question of the OP "Why is this being allowed…" because i have missed that Oracle (if they as \
the assigning CNA are aware that Java 15 and 16 are affected) AFAICT indeed haven't provided \
any reference so far about all known affected versions / products.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic