[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2022-21449 and version reporting
From:       John Helmert III <ajak () gentoo ! org>
Date:       2022-05-01 14:38:01
Message-ID: Ym6bSZb8S/5OVcuV () gentoo ! org
[Download RAW message or body]


On Sat, Apr 30, 2022 at 09:09:16PM +0200, Christian Fischer wrote:
> On Saturday, April 30, 2022 17:38 CEST, John Helmert III <ajak@gentoo.org> wrote:
> 
> > On Sat, Apr 30, 2022 at 01:24:36PM +0200, Christian Fischer wrote:
> > > > It's not that they didn't/can't verify, it's already verified,
> > > they're claiming those versions no longer being officially supported
> > > means they can seemingly omit them from CVE reporting.
> > > > 
> > > > Which is dangerous, misleading, and nonsensical.
> > > 
> > > While i fully agree with this be aware that CVE entries could generally
> > > contain incomplete information:
> > > 
> > > After requesting an update of a CVE entry via the MITRE CVE forum in the
> > > past to add additional affected products for a different vendor (which
> > > wasn't even the assigning CNA like it is the case for Oracle here) my
> > > request was rejected by MITRE with the following rationale given:
> > 
> > The CNA that assigned that CVE is Oracle, so Oracle is the CNA to talk
> > to to make changes to it. MITRE won't make changes to it as they're
> > not the CNA behind that CVE.
> > 
> > > > A CVE description does not necessarily contain all the affected 
> > > products or versions and is not part of CVE ID requirements. The
> > > products are documented in the CVE references.
> > > This is also matching my experiences with various other products / 
> > > vendors and related CVE entries for these.
> > 
> > Right, this is documented in the CNA rules [1]:
> > 
> > "8.2.1 MUST provide enough information for a reader to have a
> > reasonable understanding of what products are affected. If the
> > affected products are not explicitly listed in the description, then
> > the CNA MUST provide a reference that points to the known affected
> > products."
> > 
> > [1] https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8-2_cve_record_prose_description_requirements
> > 
> 
> Yes, indeed / in know (since then) but it wasn't clear if all participants in this \
> thread are aware of this fact. 
> But i just have noticed that my posting was only partly relevant for the quoted \
> message and the question of the OP "Why is this being allowed…" because i have \
> missed that Oracle (if they as the assigning CNA are aware that Java 15 and 16 are \
> affected) AFAICT indeed haven't provided any reference so far about all known \
> affected versions / products. 

Their April 2022 CPU (Critical Patch Update) Advisory, which is a
reference of CVE-2022-21449, is pretty comprehensive:

https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA

Supported versions affected: "Oracle Java SE: 17.0.2, 18; Oracle
GraalVM Enterprise Edition: 21.3.1, 22.0.0.2"


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]