oss-sec mailing list archives
Re: CVE-2022-21449 and version reporting
From: Jeremy Stanley <fungi () yuggoth org>
Date: Thu, 28 Apr 2022 15:45:02 +0000
On 2022-04-28 14:12:04 +0000 (+0000), Seaman, Chad wrote: [...]
In what universe exactly are versions omitted from vulnerability reporting because a vendor “no longer supports that version”… this non-supported version is still vulnerable?
The alternative is what projects I work on do: If the oldest supported version is vulnerable, then assume all unsupported versions are also vulnerable unless someone is able to find evidence to the contrary (we basically just always list <= the oldest fixed version as vulnerable).
Are exploit developers expected to check against the version of the vulnerable application during their exploit detonation to ensure they’re “only infecting supported versions?”.
Vulnerability managers' jobs aren't to make things easier for exploit developers, quite the opposite in fact. My goal is to make sure users know when they may be running vulnerable software and disseminate fixes for all supported releases, where possible.
Why is this being allowed… this is dangerous for everyone involved save for Oracle’s own ego or public image?
Speaking from the perspective of volunteer-run open source projects like the ones I work on, there are only so many hours in the day so we have to limit what versions of software we can effectively test and fix. In our case, as I said, we just assume all older versions that that are also vulnerable unless we happen to find information to the contrary, but I can certainly understand if others have a policy to only bother providing information about versions they support (and flat out tell users to upgrade to a supported version). -- Jeremy Stanley
Attachment:
signature.asc
Description:
Current thread:
- CVE-2022-21449 and version reporting Seaman, Chad (Apr 28)
- Re: CVE-2022-21449 and version reporting Brian Behlendorf (Apr 28)
- Re: CVE-2022-21449 and version reporting Jeremy Stanley (Apr 28)
- Re: CVE-2022-21449 and version reporting Seth Arnold (Apr 28)
- Re: CVE-2022-21449 and version reporting Sven Schwedas (Apr 28)
- Re: CVE-2022-21449 and version reporting Seaman, Chad (Apr 28)
- Re: CVE-2022-21449 and version reporting Christian Fischer (Apr 30)
- Re: CVE-2022-21449 and version reporting John Helmert III (Apr 30)
- Re: CVE-2022-21449 and version reporting David A. Wheeler (Apr 30)
- Re: CVE-2022-21449 and version reporting Christian Fischer (Apr 30)
- Re: CVE-2022-21449 and version reporting John Helmert III (May 01)
- Re: CVE-2022-21449 and version reporting Christian Fischer (May 02)
- Re: CVE-2022-21449 and version reporting Sven Schwedas (Apr 28)
- Re: CVE-2022-21449 and version reporting Iron-Bound (Apr 29)