Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 27 Jun 2014 10:45:48 -0600
From: "Vincent Danen" <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: jamie@...onical.com, cve-assign@...re.org
Subject: Re: Question regarding CVE applicability of missing
 HttpOnly flag

On 06/26/2014, at 9:59 AM, cve-assign@...re.org wrote:

> It is closest to b. It would be very rare to assign a CVE for a design
> choice by a system integrator. Suppose a new operating-system
> distribution ships tomorrow without a virus scanner. Often the best
> model for this would be a set of tasks that hasn't happened. For
> example, the vendor hasn't yet investigated customer requirements for
> what a virus scanner should do. The vendor hasn't performed the
> release-engineering work of packaging a virus scanner. There are other
> tasks as well. We don't think that CVE consumers are looking for us to
> tag cases where a product lacks complete subsystem parity with all
> possible competitors.

I'm not sure that I understand or agree with this.  The above sounds to me like not having a virus scanner in an OS is a security flaw, but the only reason it's not being described as such is a technicality.

Virus scanners are useful proactive security, but I don't think that means the _lack_ of one exposes a vulnerability.  The vulnerability (which should be what gets a CVE) is exposed regardless of the presence of a virus scanner -- all the scanner does is make detection easier and possibly prevent something from being executed that may otherwise be unwittingly executed (or may not, the vendor cannot make that determination).

I suppose maybe there is a CWE for not having a virus scanner, which makes sense as that could be considered an overall system weakness.  So I guess the next question is whether or not there is a 1:1 mapping for CWE and CVE (i.e. if something has a weakness (software, OS, configuration) does that automatically make it an actual vulnerability).

I'm also really confused on how any of these tasks have any bearing on what constitutes a vulnerability because they seem irrelevant as far as determining whether or not an actual flaw exists:

- lack of a proactive security mechanism (virus scanner, etc.)
- customer requirements (I fail to see how this impacts whether or not something is a flaw)
- release engineering work (or, possibly, "how hard is this to fix?")
- feature parity with other competitors

All of these sound like marketing issues, not factors to determine whether or not a flaw is a flaw.

-- 
Vincent Danen / Red Hat Product Security
Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.