[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability
From:       Jacques Le Roux <jacques.le.roux () les7arts ! com>
Date:       2023-04-19 6:25:36
Message-ID: 2849a749-83c1-68ab-3e8f-50cc667a6cf8 () les7arts ! com
[Download RAW message or body]

Hi Seth,

As I guess you know, the ASF has many (350+) projects: https://projects.apache.org/
OFBiz is only one of these projects. An "old" one, IIRW it was the 26th to get in.

I say that because we have our own security team.
Yet, all projects are overseen and especially helped by the ASF security team for security \
matter. In other words we (projects) all share the experience and expertise of the ASF security \
team.

So I must add that the ASF CVE tool has an optional REVIEW status.
This status allows the ASF security team to review and suggest improvements to the CVE \
announcement. As I did not use this tool before this CVE, I was sure of what I did (my old way) \
and did not pass by this status. If I had did so, the 2 points that you find "nice, and \
friendly" would have been amended by Arnout's review, lesson learned.

For the rest I guess your suggestions will be taken seriously by the ASF security team which \
maintain the CVE tool, especially for the OSS email part. I'll also take care of your \
suggestions for URLS, and will better use the tool that has 16 references types for URLS. \
Though they maybe need a bit of  explanation we are not all security experts :)

For the list of CVEs you gave, I'm not sure they used the CVE tool but If they did I guess next \
time it will be better thanks to our improving CVE  tool, hopefully by using the REVIEW status

Thanks again for your suggestions

Jacques

Le 19/04/2023 à 03:29, Seth Arnold a écrit :
> On Tue, Apr 18, 2023 at 11:15:52AM +0200, Jacques Le Roux wrote:
> > I used to give more information. For this one, using our "new" internal
> > process* (need an ASF credential) and  following step 11 of**, notably
> > 
> > <<Generally, reports should contain enough information to enable
> > people to assess the risk the vulnerability poses for their own
> > system, and no more.>>
> > 
> > I restricted the information to a minimum.
> Hello Jacques, thanks for the reply. I'd like to suggest that this policy
> should receive a review, as other list members have found the Apache
> defaults a bit wanting:
> 
> https://www.openwall.com/lists/oss-security/2023/01/31/7
> https://www.openwall.com/lists/oss-security/2022/10/12/2
> https://www.openwall.com/lists/oss-security/2022/08/26/4
> https://www.openwall.com/lists/oss-security/2022/01/25/15
> 
> > When sending to Mitre we replaced
> > https://lists.apache.org/list.html?announce@apache.org
> > by
> > https://lists.apache.org/thread/k8s76l0whydy45bfm4b69vq0mf94p3wc
> > 
> > You can see the result at https://www.cve.org/CVERecord?id=CVE-2022-47501
> This is nice, and friendly.
> 
> > We also changed the "problem type" to be more specific. Following the CWE
> > classification, we used "CWE-22 Improper Limitation of a Pathname to a
> > Restricted Directory ('Path Traversal')" rather than "Arbitrary file reading
> > vulnerability" used by the finder who stayed as the CVE title. You can see
> > it at https://cveawg.mitre.org/api/cve/CVE-2022-47501 which is the json
> > version of the report.
> This is also nice and friendly.
> 
> > Regarding your points:
> > 
> > * the vulnerability was introduced long ago (years) when the plugin was
> > created. It was around 2013.
> This information is gold!
> 
> > * https://ofbiz.apache.org/security.html gives indirect information
> > about the fix. Do you suggest that we need to put a direct link like
> > https://github.com/apache/ofbiz-plugins/commit/582add7d3 ?
> The link to the security page is a good start; it's even one of the better
> security.html pages I've seen. (Thanks!) But we've all spent too much time
> trying to figure out what exactly might have been "the intended content"
> on a page five or ten years later. Having more specific information (such
> as the "582add7d3" here) directly available in the list archives will
> simplify future searches for information.
> 
> > Thanks for the links. We will certainly consider what can be done to
> > ease the work of downstream distributors and consumers.
> Thank you :)


[prev in list] [next in list] [prev in thread] [next in thread]