|
|
|
|
|
|
by haukem
1990 days ago
|
|
|
How to mark a CVE as invalid or request an update?
I tried the Update Published CVE process, but nothing happened not even a reject, just no answer.
Multiple CVEs where reported to OpenWrt which are invalid, but we (OpenWrt team) haven't found out how to inform Mitre. For example CVE-2018-11116:
Someone configures an ACL to allow everything and then code executing is possible like expected:
https://forum.openwrt.org/t/rpcd-vulnerability-reported-on-v... and CVE-2019-15513:
The bug was fixed in OpenWrt 15.05.1 in 2015:
https://lists.openwrt.org/pipermail/openwrt-devel/2019-Novem... For both CVEs we were not informed, the first one someone asked in the OpenWrt forum about the details of this CVE and we were not even aware that there is one. The second one I saw in a public presentation from a security company mentioning 4 CVEs on OpenWrt and I was only aware of 3. When we or a real security researcher request a CVE for a real problem as an organization it often takes weeks till we get it, we released some security updates without a CVE, because we didn't want to wait so long. It would also be nice to update them later to contain a link to our detailed security report. |
|
|
From your point of view, I'm sure that's probably quite frustrating. From my point of view (as a user), that's completely absurd, should never happen, and is a huge deficiency in the CVE program.
Fortunately, it's possible for the OpenWRT project to become a CNA [0] and gain the ability to assign CVE IDs themselves.
See "Types" under "Key to CNA Roles, Types, and Countries" [1]:
> Vendors and Projects - assigns CVE IDs for vulnerabilities found in their own products and projects.
--
[0]: https://cve.mitre.org/cve/cna.html#become_a_cna
[1]: https://cve.mitre.org/cve/request_id.html#key_cna_roles_and_...