One Solution to MITRE's Overworked CVE System: Build a New One (helpnetsecurity.com) 47
An anonymous reader writes: For the last 17 years, the American not-for-profit MITRE Corporation has been editing and maintaining the list of Common Vulnerabilities and Exposures (CVEs). According to a number of researchers, MITRE has lately been doing a lousy job when it comes to assigning these numbers, forcing researchers to do without them or to delay public disclosure of vulnerabilities indefinitely. The problem is getting worse by the day, and the situation has spurred Kurt Seifried, a "Red Hat Product Security Cloud guy" and a CVE Editorial Board member, to create a complementary system for numbering vulnerabilities.
Re: (Score:1)
Leave it to RedHat. Next we'll see systemd-CVE, which uses a dbus interface to generate new numbers on the fly, except the announcement will be in a binary format only readable by a new 'cvectl' binary.
Yeah, why am I not feeling good about the results of RedHat's "contribution" here? Don't get me wrong. It's cool that a company with the resources to do so is willing to help out with an important project, but still...
Re:Redhat = embrace, extend (Score:4, Insightful)
So in the interests of full disclosure and transparency I (Kurt Seifried) am writing this email as an individual and member of the DWF System, and not as an employee of Red Hat. Please note that although I have a day job at Red Hat I also (like many information security people) work on other projects in my personal life, either because they are not work related, or because it's simply not appropriate to work on the project as part of my day job (in this case it's less about Red Hat, and more about the fact that as a Red Hat Employee I am a member of the CVE Editorial Board).
Seems clear RedHat has nothing to do with this
Re: (Score:2)
Reality is so pedantic to a troll...
Thanks (Score:3, Insightful)
I was looking for a way to say this politely, but can you just can it with the systemd trolling? It has literally no connection to this proposal. This is some guy who happens to work at Red Hat. It shouldn't shock anyone that Red Hat employs a lot of people in the Linux and/or security worlds. He says right up front he is speaking on his own behalf and not that of Red Hat, and as far as I can tell he has jack-all to do with systemd development. There's even the possibility that he dislikes systemd as much a
Re: (Score:3, Insightful)
Re: (Score:1)
The ironic thing is that people are so against systemd, when many of their complaints apply equally to OpenRC. Namely, it's mostly written in C (81.8% C, 9.3% Shell, 8.5% makefile, .4% other), it has annotations for dependency resolution, supports cgroups, and I believe parallel startup is also in the works. But when systemd does it, clearly nobody needs those features.
The other ironic thing is that people have this nostalgic idea that sysvinit was somehow not a piece of crap. Except that it was self-defeat
copied from the register (Score:1)
Re: (Score:2)
Standards - https://xkcd.com/927/ (Score:2)
Yes, because another service is always the solution ... instead of fixing the existing one and improving it.
This is typical red hat (and a common Linux issue in general) ... we don't like it so we're going to reinvent the wheel ... poorly and refuse to acknowledge any problems or defects in the new version.
Sometimes you just need to put a little effort into actually working together instead of being a douchebag loan wolf who takes his toys and goes to live in the woods.
Re: (Score:3)
a douchebag loan wolf
Is that better or worse than a loan shark?
Re: (Score:2)
Is that better or worse than a loan shark?
That depends... Is it a douchebag loan shark?
Re: (Score:2)
Yes, because another service is always the solution ... instead of fixing the existing one and improving it.
So, how do you do that exactly? Someone asks MITRE for a CVS number for a vulnerability they've found and MITRE replies:
What next?
Re: (Score:2)
What next?
Why don't we just have the vendor self-generate a GUID to use to refer to the security vulnerability?
Whoever notes the vulnerability first generates a GUID, and MITRE's only Job becomes to provide a database of the GUIDs.
Re: (Score:2)
MITRE refused to allocate a CVE. It's not the number that's the problem, it's that they are refusing to do their job.
"But according to a number of researchers" (Score:3)
1 is a number. There are lots of numbers.
If there's a problem at all, I would wager it's all the crappy "security researchers" trying to make a name for themselves by claiming the sky is falling and getting a CVE on their blog to make themselves look important.
Re: (Score:1)
What makes for a crappy security researcher? because the software they've found a bug in isn't on mitre's short little list of CVE approved vendors?
Re: (Score:2)
If I have a Radware product in my organization, I would subscribe to their security and support mailing lists, which is where this seems to be posted. There are thousands or more of different products from different vendors, probably tens or hundreds of thousands if you include the crazy knockoffs, FOSS assemblages, and fly-by-night companies.
There are far fewer genuinely unique bits of software which most of these products are made from. E.g., only so many IP stacks are out there, only so many web se
Re: (Score:1)
I see your point, I only care to assign CVE IDs to my discoveries because folks ask me for them. It gets annoying when I've found a vulnerability and someone is hounding me about the CVE ID so they can track it and mitre doesn't respond to my emails.
Red Hat/DoD/MITRE - I see the relationship (Score:3)
Another solution (Score:1)
Re: (Score:3)
When did this place become Facebook? What's next, "just sayin'"? "JK"? Perhaps your high ID explains it, but on SlashDot there's no reason to snark off and then hide behind your mom's skirt - we LIKE bold discussions.
Re: (Score:3)
A vague problem (Score:3)
Is the problem that MITRE has an inventory of unprocessed requests, or that MITRE is rejecting requests as duplicative or incorrect? That does make a difference in how one thinks about the problem. If the latter, perhaps those in favor of bypassing MITRE could provide convincing examples of incorrect rejections.
Re: (Score:1)
Mitre either isn't responding or flat out rejecting valid requests because they've changed the scope of what they will assign numbers too.
Re: (Score:1)
Here is one http://www.openwall.com/lists/... [openwall.com]
"Not for profit"... (Score:2)
"Non-profit" is a pretty loaded term here. It implies charities or colleges or arts organizations. That's not really what's going on. It just means that they're not turning their profits over to any shareholders. There are tax consequences, but it's actually not all that big a deal, since even ordinary corporations are only supposed to be paying taxes on profits anyway, not revenues. Which theoretically lets them raise wages and lower prices, though they're not actually all that good at either. Mostly, they
Bull from a corporate shill Re:"Not for profit"... (Score:1)
Relevant XKCD (Score:1)
Solution: let's make a better one!
Problem: there are N+1 relevant places to look for CVEs.