[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

For example someone finds another memory disclosure in CloudFlare, and then another person finds a third one. Are we talking about A, B or C? CLoudBleed 1? The thing after CloudBleed? If they had CVE's or an equivalent identifier it would be much easier. Especially as I have to now interact with other vendors (Hey Atlassian, do you deliver JIRA via CloudFlare at all and are you affected by CloudBleed?). 

Especially as the data leaked from CloudBleed is now in all sorts of data caches around the internet (search providers, maybe archive.org, etc.), so we'll need to talk about this off and on for potentially the next few years. 

On Fri, Feb 24, 2017 at 9:03 AM, Millar, Thomas <Thomas.Millar@hq.dhs.gov> wrote:
How do I use a CVE for a service vuln to check if my environment was affected and if so, that my ops have applied the proper remedies?

Tom Millar, US-CERT

Sent from +1-202-631-1915

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried
Sent: Friday, February 24, 2017 3:44:39 PM
To: Art Manion
Cc: jericho; Booth, Harold (Fed); cve-editorial-board-list
Subject: Re: CVE for hosted services

So uhh I'll just leave this example here:

I know for example on the CloudSecurityAlliance side I now need to forcibly reset every password for all our websites, and look at the third parties we do auth from (e.g. FaceBook/Linkedin) to see if they are affected (not that there is much we can do other than notify people). 

On Thu, Feb 23, 2017 at 8:36 PM, Art Manion <amanion@cert.org> wrote:
On 2017-02-23 19:05, jericho wrote:

> https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
> Harold, how would you write a CVE-ish description of this, in the context
> of moving CVE to site-specific issues? The service and info disclosed is
> the easy part. Then what? Do you also mention some of the services that
> use Cloudflare? Some businesses may know, where individuals do not (e.g.
> 1Password is hosted on it). What date range do you put down for this? You
> know the fix date, but not the start date. This goes back to the problem
> of making such entries useful to companies trying to determine risk.

Not answering your question, but:

This issue should get a CVE ID so the world can talk about it and have
confidence they're talking about the same "it."  The description might
be tricky, but the description is primarily to catalog/de-duplicate, not
to help assess risk.

CVE is lower layer of infrastructure.  Someone else (NVD, CVSS, RBS,
CERT, a CloudFlare customer) can add to the severity/risk assessment.

 - Art


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Kurt Seifried

Page Last Updated or Reviewed: February 24, 2017