Re: Question regarding CVE applicability of missing HttpOnly flag

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 27/06/14 10:35 AM, Vincent Danen wrote:
> On 06/26/2014, at 10:00 AM, Kurt Seifried wrote:
>
> > On 26/06/14 05:45 AM, Jamie Strandboge wrote:
> > > Based on this email and the one this is in response to, I find
> > > this comment unclear. Is MITRE saying that:
> > >
> > > a) lack of implementing SELinux, AppArmor, virus scanner,
> > > firewall, <insert hardening software here> does not justify a
> > > CVE because of the complexity? b) lack of implementing SELinux,
> > > AppArmor, virus scanner, firewall, <insert hardening software
> > > here> does not justify a CVE and also cannot be considered an
> > > implementation error because of the complexity? c) implementing
> > > SELinux, AppArmor, virus scanner, firewall, and/or <insert
> > > hardening software here> is not worth it because the added
> > > complexity intrinsically makes the system less secure? d)
> > > something else?
> > >
> > > Thanks
> >
> > So one comment on this, replace the above with "DAC" 
> > (http://en.wikipedia.org/wiki/Discretionary_access_control) and I
> > bet we'd hand it a CVE =).
> >
> > Security lines move, I would expect most modern system of any
> > type (Windows, Linux, router, maybe not my bathroom scale that
> > talks wifi... yet) to have some sort of firewall enabled by
> > default and not simply leave everything exposed to the world. So
> > in that case not having a fire enabled by default would
> > definitely violate the principle of least surprise and maybe even
> > qualify for a CVE.
>
> Wait.  You're saying that not having a firewall enabled by default
> qualifies for a CVE?  I mean, firewalls are pretty common sense and
> should definitely be used/available/whatever but to say that an
> operating system or device doesn't have a firewall enabled by
> default should have a CVE assigned seems... excessive, doesn't it?

I'm saying in quite a few common situations it should probably qualify
for a CVE. Not every single situation. Same for HTTPOnly.
> How is not having a firewall enabled by default a _vulnerability_?
> If we look at it this way, it's a good thing CVEs go past 9999 per
> year because we need to change everything we used to call
> "hardening" to be a vulnerability, do we not?

How is not having DAC a _vulnerability_? and yet now DAC support is
required....


- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTrbr4AAoJEBYNRVNeJnmTOvoP/it6lxjM/fO4LnerZJaEAkBu
AijbL8S4VmN0TNw7Dgkz6AB10fJAAufFzSquWmkJrg0LdxD56l1TGp2mFN8aKDvy
QaBColFlMCo2vqD1e9h3Pa/9JtP+De7ClzJPL0ZVGvYoUyX0QE6tSEAyN+H4mBiG
vYaRZexT9gIdLMIXznpDRizPXpbivEHhwFsYt5BEggJAAmtWUoROp8jdCaksWcrm
XR4Q+YiqwkLHXyxMb8ammUmOGAl3UUNbTNwYF++ExrR5ODahorflY1xfXheXcZPG
yZUbkPMix/KPuMwOznfGapaoXDwKfx2J13LaSZEvcxY2LrX1rEyQhQcyg4GLpllt
yeSRSf8rMGUOk6sSjUXDnxvPgG4s+Lu4bbsDG4+MDlO0HxX098JyCyvcmDoJLSYd
BBETEP5Ru5alI30lZV04dH+2mh8XLo2gBHlkiE7COEEYVpMJGXuoawxYpBq7ftoT
mHejJZ7KkJRQCjLzTPb7Z8ZMOJKUnqBUaI1LnozdxD2AsaJsNdbRiSHdz0eEMzTW
BC+Bw6h9Y2GpnP8eMq22F1ODW9nfaKR+ANepMirZVVC1wFxluZGhj0ejlIfNdxKU
SRavu6q8mkGEPtuDkscfAo8pcwRlK4PFjsh87HwFKLVJl627aCLkCMIaJhQf0a/C
71dwHYIa4Mk7mwa+O7s2
=NlLO
-----END PGP SIGNATURE-----