[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2017-7269 and abandonware

I know for a fact we have Linux that is 10 years out of support (EoL) and still in use, and if there was a flaw specific to that (and not newer versions) I would still CVE it so at least people are aware of the flaws existence. And like G.I. Joe says "knowing is half the battle". 

On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <ccoffin@mitre.org> wrote:
I agree with Kent's perspective on this.

In this specific case, the discoverer contacted the CNA and received a case number. However, they were told that the unsupported/obsolete product was outside the scope of the CNA.

> What are the assignment rules for abandonware (or unsupportedware)?

As Kent mentioned, this would be a good Board discussion and we could drive to a specific CNA rule that covers this situation. Does anyone disagree with Kent's perspective?

> Is the vendor CNA primarily responsible, if one exists?

Yes. We should always give them the opportunity and redirect to them first if they exist. If they refuse, then a next available CNA could be contacted. One item for the Board discussion, as the backup CNA how would we verify that this conversation took place.


-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent B
Sent: Thursday, March 30, 2017 9:33 AM
To: Art Manion <amanion@cert.org>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE-2017-7269 and abandonware

>From my perspective... I would like it to be the vendor CNA if one still exists.  If the vendor refuses or is no longer in business, then next up would be to go to a secondary CNA such as you list.

I would hope the vendor would want to issue that themselves even if the product is EOL.  There is concern in various circles that this type of acknowledgement from the vendor on an EOL’ed product could cause some liability on that vendor. Abandonware is going to become more and more of a problem with the new emerging device landscape.  Who owns the problems they create?

This is actually a great conversation for the Board to have.

Kent Landfield

On 3/30/17, 8:52 AM, "owner-cve-editorial-board-list@lists.mitre.org on behalf of Art Manion" <owner-cve-editorial-board-list@lists.mitre.org on behalf of amanion@cert.org> wrote:

    Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?


    What are the assignment rules for abandonware (or unsupportedware)?

    Is the vendor CNA primarily responsible, if one exists?

    Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC, JPCERT/CC?

     - Art


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: March 30, 2017