You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by Lorenz Quack <qu...@gmail.com> on 2016/08/31 12:19:58 UTC

DRAFT: Dispute of CVSS Score for CVE-2016-4974

Hello Qpid-Dev,

Context:
As you might be aware, the recent Qpid vulnerability CVE-2016-4974
received a very high severity rating of 9.8 by NIST.  We feel that
this was unjustified and are in the process of getting this
adjusted.  The first step, getting MITRE to change the description
was completed.

Now that MITRE has changed the description of CVE-2016-4974 I am
going to request that NIST re-evaluate the severity of the issue.
Please find below a draft of that request.

After a ready for comments period of 24h I will send this to NIST.

Kind regards,
Lorenz


DRAFT:

Dear Madam or Sir,

I would like to dispute the CVSS score of CVE-2016-4974 [1].

Upon our request the MITRE description [2] was recently changed
to more accurately describe the circumstances under which this
vulnerability can be exploited.  The original description read:

     Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP
     1.0) before 0.10.0 does not restrict the use of classes
     available on the classpath, which might allow remote
     attackers to deserialize arbitrary objects and execute
     arbitrary code by leveraging a crafted serialized object in a
     JMS ObjectMessage that is handled by the getObject function.

This has been changed in the following way:

     [...] which might allow remote authenticated users with
     permission to send messages to deserialize arbitrary objects
     [...]

I can see that this change is already reflected in the NVD
database.  However, the CVSS severity score has not been
adjusted.

Our impression is that the current high rating is mainly due to
the misunderstanding that this vulnerability could be exploited
by a unauthenticated remote attacker which is not correct.  To
exploit the vulnerability the following conditions need to be
met:

  * The attacker needs authorization to send messages to the
    target system.

  * The target application needs to call getObject() on the
    received JMS message.

  * The target application needs to have additional exploitable
    classes (e.g., Apache Commons Collections [3]) on the JVM
    classpath.

For reference, Red Hat's CVVSv3 severity assessment [4] resulted
in a score of 5.6, whereas NVD's assessment [1] resulted in a
score of 9.8.

Please let me know if you require further information to consider
changing the CVSS score.


Kind regards,

Lorenz Quack
on behalf of the Apache Qpid Project Management Committee


[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974
[3] https://issues.apache.org/jira/browse/COLLECTIONS-580
[4] https://access.redhat.com/security/cve/CVE-2016-4974


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

Re: DRAFT: Dispute of CVSS Score for CVE-2016-4974

Posted by Keith W <ke...@gmail.com>.

Lorenz,

The suggested text looks reasonable to me and meets the requirements
of NIST's FAQ entry "I would like to dispute the score of a
vulnerability. What should I do?"
https://nvd.nist.gov/faq#440bb045-9d20-4e17-b463-8d45ff555ef1

cheers Keith

On 31 August 2016 at 13:19, Lorenz Quack <qu...@gmail.com> wrote:
> Hello Qpid-Dev,
>
> Context:
> As you might be aware, the recent Qpid vulnerability CVE-2016-4974
> received a very high severity rating of 9.8 by NIST.  We feel that
> this was unjustified and are in the process of getting this
> adjusted.  The first step, getting MITRE to change the description
> was completed.
>
> Now that MITRE has changed the description of CVE-2016-4974 I am
> going to request that NIST re-evaluate the severity of the issue.
> Please find below a draft of that request.
>
> After a ready for comments period of 24h I will send this to NIST.
>
> Kind regards,
> Lorenz
>
>
> DRAFT:
>
> Dear Madam or Sir,
>
> I would like to dispute the CVSS score of CVE-2016-4974 [1].
>
> Upon our request the MITRE description [2] was recently changed
> to more accurately describe the circumstances under which this
> vulnerability can be exploited.  The original description read:
>
>     Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP
>     1.0) before 0.10.0 does not restrict the use of classes
>     available on the classpath, which might allow remote
>     attackers to deserialize arbitrary objects and execute
>     arbitrary code by leveraging a crafted serialized object in a
>     JMS ObjectMessage that is handled by the getObject function.
>
> This has been changed in the following way:
>
>     [...] which might allow remote authenticated users with
>     permission to send messages to deserialize arbitrary objects
>     [...]
>
> I can see that this change is already reflected in the NVD
> database.  However, the CVSS severity score has not been
> adjusted.
>
> Our impression is that the current high rating is mainly due to
> the misunderstanding that this vulnerability could be exploited
> by a unauthenticated remote attacker which is not correct.  To
> exploit the vulnerability the following conditions need to be
> met:
>
>  * The attacker needs authorization to send messages to the
>    target system.
>
>  * The target application needs to call getObject() on the
>    received JMS message.
>
>  * The target application needs to have additional exploitable
>    classes (e.g., Apache Commons Collections [3]) on the JVM
>    classpath.
>
> For reference, Red Hat's CVVSv3 severity assessment [4] resulted
> in a score of 5.6, whereas NVD's assessment [1] resulted in a
> score of 9.8.
>
> Please let me know if you require further information to consider
> changing the CVSS score.
>
>
> Kind regards,
>
> Lorenz Quack
> on behalf of the Apache Qpid Project Management Committee
>
>
> [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974
> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974
> [3] https://issues.apache.org/jira/browse/COLLECTIONS-580
> [4] https://access.redhat.com/security/cve/CVE-2016-4974
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
> For additional commands, e-mail: dev-help@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org