RE: Initial Guidance on Linux Issues
Mark Cox wrote:
>I don't think commercial supported distributions are the problem for CVE,
>it's probably more of a problem for things like Fedora (Fedora 16 by
>comparison has ~11000 packages) where the number of security issues
>multiplies significantly. We've been trying to minimize this problem by
>asking for more information before giving out CVEs on oss-security list
>I'd solve this by having a minimum threshold required to get a CVE name;
>and apply the same requirements to each CNA, only allowing them to
>allocate names for OSS issues that will have a minimum defined set of
>information, such as:
>- fixed version [required]
>- pointer to patch or affected code segment [required]
>- flaw type (CWE or text) [required]
>- affected versions or first vulnerable version [nice to have]
>and so on.
I want to provide some feedback on the economic and political issues that need to be considered for your proposal to work based on our experience with the Common Configuration Enumeration (CCE).
But, in doing so my motivation is more to provide quick feedback and to redirect the conversation away from "How to cover things?" and back to the question "What things need to be covered?"
CCE attempted to give out CCE ids to "CNAs" while demanding/requesting semi-structured data to document each id in a manner very much analogous to what you suggest above. This approach failed and failed badly because: a) there are real costs on CNAs to produce acceptably good data and b) there's no economic or regulatory incentive for them to do so. As a result, CCE has large blocks of CCE ids that are being used "in the wild" for which we do not yet have documentation. The CCE effort is not staffed to a level where it would make sense for MITRE to "pull" descriptive content from CNAs and then reformat it to acceptable levels (as we do with CVE).
The current approach that CCE is taking is that MITRE will not give CCE ids to CNAs until the CNA has provided acceptably well formatted data for descriptions. The jury is still out as to whether or not this approach will work. Again, there is no regulatory requirement to participate in CCE and limited indirect economic incentive. Many vendors simply choose to not participate.
I'd suggest we table the question of reporting formats and requirements on CNAs and re-ask the original question.
Independent of the question of feasibility, is it required that there be CVE ids associated with all packages that are distributed by a commercially supported Linux distribution? Or, is there a smaller sub-set of package for which we need full coverage while still allowing partial coverage of the others?
David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:firstname.lastname@example.org | cell:781.424.6003