Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability

[Jacques Le Roux <jacques.le.roux () les7arts com>]

Hi Seth,

As I guess you know, the ASF has many (350+) projects: https://projects.apache.org/
OFBiz is only one of these projects. An "old" one, IIRW it was the 26th to get in.

I say that because we have our own security team.
Yet, all projects are overseen and especially helped by the ASF security team for security matter.
In other words we (projects) all share the experience and expertise of the ASF security team.

So I must add that the ASF CVE tool has an optional REVIEW status.
This status allows the ASF security team to review and suggest improvements to the CVE announcement.
As I did not use this tool before this CVE, I was sure of what I did (my old way) and did not pass by this status.
If I had did so, the 2 points that you find "nice, and friendly" would have been amended by Arnout's review, lesson 
learned.

For the rest I guess your suggestions will be taken seriously by the ASF security team which maintain the CVE tool, 
especially for the OSS email part.
I'll also take care of your suggestions for URLS, and will better use the tool that has 16 references types for URLS. Though they maybe need a bit of 
explanation we are not all security experts :)

For the list of CVEs you gave, I'm not sure they used the CVE tool but If they did I guess next time it will be better thanks to our improving CVE 
tool, hopefully by using the REVIEW status

Thanks again for your suggestions

Jacques

Le 19/04/2023 à 03:29, Seth Arnold a écrit :
> On Tue, Apr 18, 2023 at 11:15:52AM +0200, Jacques Le Roux wrote:
> > I used to give more information. For this one, using our "new" internal
> > process* (need an ASF credential) and  following step 11 of**, notably
> >
> >     <<Generally, reports should contain enough information to enable
> >     people to assess the risk the vulnerability poses for their own
> >     system, and no more.>>
> >
> > I restricted the information to a minimum.
> Hello Jacques, thanks for the reply. I'd like to suggest that this policy
> should receive a review, as other list members have found the Apache
> defaults a bit wanting:
>
> https://www.openwall.com/lists/oss-security/2023/01/31/7
> https://www.openwall.com/lists/oss-security/2022/10/12/2
> https://www.openwall.com/lists/oss-security/2022/08/26/4
> https://www.openwall.com/lists/oss-security/2022/01/25/15
>
> > When sending to Mitre we replaced
> > https://lists.apache.org/list.html?announce () apache org
> > by
> > https://lists.apache.org/thread/k8s76l0whydy45bfm4b69vq0mf94p3wc
> >
> > You can see the result at https://www.cve.org/CVERecord?id=CVE-2022-47501
> This is nice, and friendly.
>
> > We also changed the "problem type" to be more specific. Following the CWE
> > classification, we used "CWE-22 Improper Limitation of a Pathname to a
> > Restricted Directory ('Path Traversal')" rather than "Arbitrary file reading
> > vulnerability" used by the finder who stayed as the CVE title. You can see
> > it at https://cveawg.mitre.org/api/cve/CVE-2022-47501 which is the json
> > version of the report.
> This is also nice and friendly.
>
> > Regarding your points:
> >
> >   * the vulnerability was introduced long ago (years) when the plugin was
> >   created. It was around 2013.
> This information is gold!
>
> >   * https://ofbiz.apache.org/security.html gives indirect information
> >   about the fix. Do you suggest that we need to put a direct link like
> >   https://github.com/apache/ofbiz-plugins/commit/582add7d3 ?
> The link to the security page is a good start; it's even one of the better
> security.html pages I've seen. (Thanks!) But we've all spent too much time
> trying to figure out what exactly might have been "the intended content"
> on a page five or ten years later. Having more specific information (such
> as the "582add7d3" here) directly available in the list archives will
> simplify future searches for information.
>
> > Thanks for the links. We will certainly consider what can be done to
> > ease the work of downstream distributors and consumers.
> Thank you :)