About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Adoption
CVE-Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE Community

Editorial Board
Mail List & Meetings Archive
Roles, Tasks, & Qualifications
Adding New Members
Sponsor

CVE In Use

CVE Compatible Products and Services
More . . .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CONTENT DECISION: Presence of Services or Applications (SA)

To: "Prosser, Mike" <mike.prosser@L-3SECURITY.COM>, cve-editorial-board-list@lists.mitre.org
Subject: Re: CONTENT DECISION: Presence of Services or Applications (SA)
From: Aleph One <aleph1@underground.org>
Date: Wed, 4 Aug 1999 15:07:40 -0700
In-Reply-To: <FD38C4FC4464D211A06900A0C9E47AE03D6323@catbert.l-3security.com>; from Prosser, Mike on Wed, Aug 04, 1999 at 02:55:52PM -0500
References: <FD38C4FC4464D211A06900A0C9E47AE03D6323@catbert.l-3security.com>
Sender: owner-cve-editorial-board-list@lists.mitre.org

On Wed, Aug 04, 1999 at 02:55:52PM -0500, Prosser, Mike wrote:
> I agree with these comments as well!  Unless there is an actual
> vulnerability related to one of these services, don't see them as
> being CVE material just by running.  This becomes a "best practice" or
> company policy decision rather than a vulnerability.

I belive this what the words you are looking for is vulnerability vs
risk. A service running is a risk. Not a vulnerability.

>
> -mike
>
> -----Original Message-----
> From: Aleph One [mailto:aleph1@UNDERGROUND.ORG]
> Sent: Tuesday, August 03, 1999 11:28 PM
> To: spaf@CS.PURDUE.EDU; Steven M. Christey
> Cc: cve-editorial-board-list@lists.mitre.org
> Subject: Re: CONTENT DECISION: Presence of Services or Applications
> (SA)
>
>
> On Tue, Aug 03, 1999 at 08:52:05PM -0500, Gene Spafford wrote:
> > I really do not like the idea behind this category.   We might as
> > well include most MS-based protocols, and most TCP services.   The
> > fact that a service is present and has a history of being a point of
> > entry on some systems is not a vulnerability.    That's like saying
> > that the presence of computers tends to enable hacking -- take away
> > the computers, and you no longer have break-ins!
>
> Hear, hear!
>
> >
> > --spaf
> >
>
> --
> Aleph One / aleph1@underground.org
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
>
>

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Follow-Ups:
- Re: CONTENT DECISION: Presence of Services or Applications (SA)
  - From: Dave Mann <damann@mitre.org>

References:
- RE: CONTENT DECISION: Presence of Services or Applications (SA)
  - From: "Prosser, Mike" <mike.prosser@L-3SECURITY.COM>

Prev by Date: RE: CONTENT DECISION: Presence of Services or Applications (SA)
Next by Date: Re: CONTENT DECISION: Presence of Services or Applications (SA)
Prev by thread: RE: CONTENT DECISION: Presence of Services or Applications (SA)
Next by thread: Re: CONTENT DECISION: Presence of Services or Applications (SA)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007