Re: Strange CVE situation (at least one ID should come of this)

["Steven M. Christey" <coley () rcf-smtp mitre org>]

On Tue, 30 Oct 2012, Kurt Seifried wrote:

> On 10/30/2012 11:34 AM, Steven M. Christey wrote:>
> > To have a CVE for "don't use this" is not consistent with
> > long-existing practice.  I don't recall ever intentionally
> > assigning a CVE for such a thing - after all, CVE is about
> > vulnerabilities, and "don't use this" is awfully vague.
>
> True, but we've already gone down that road, e.g.:
>
> CVE-2012-2400   Unspecified vulnerability in
> wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown
> impact and attack vectors.

That's not the same as a generic "don't use this."  For this 
CVE-2012-2400, there is a specific advisory from a specific vendor telling 
customers to patch a vulnerability.  It's "unspecified" all over the place 
due to lack of details, so risk analysis is problematic, but it's a 
statement of some kind of vulnerability in a specifc version by an 
authoritative source.

Oracle and HP publish advisories like this on a regular basis.

> > Deployment of risky software is effectively a configuration or
> > asset management issue, which is well outside the scope of CVE.
> > (Maybe it's more like a Common Configuration Enumeration (CCE)
> > issue.)
>
> If anything I think it would fit into CPE

CPE is neutral on security - it's just about identifying software packages 
and versions.  One main use is in vulnerability management, but it's more 
general than that.

- Steve