[Sebguer]

The worst part of these major vulnerabilities is the endless follow-on stream of knee-jerk 'CVE' that are clearly nothing-burgers, and yet will be described as a 'new Log4j' vulnerability, and cause a bunch of people who don't know better to panic.

[dylan604]

All of this reminds me of when Zoom was getting all of the attention. It's something that's been around for a while that nobody noticed, then somebody did. Everyone freaks out, and then New Vuln comes out weekly because now everyone is looking for it. Log4j hit servers, where Zoom hit people directly at home. Which is worse? Depends on persepective

[capableweb]

> Log4j hit servers, where Zoom hit people directly at home

Log4j is used in many desktop/client software as well, some of them being network connected as well, one way or another.

[mnd999]

CVE doesn’t have much credibility at this point as far as I’m concerned. It can mean anything.

[rfd4sgmk8u]

Hang about. You may have misunderstood what CVE is. CVE doesn't mean 'world ending vulnerability'. It means "common vulnerability and exposure".

It is merely a way of tagging security vulnerabilities through multiple products. Before CVE it was difficult to reason if a product was insecure because it had a an insecure component. CVE speaks to nothing of the severity (that CVSS), just that two products that have the same CVE suffer from the same root vulnerability in their components.

[mnd999]

Whether I misunderstand it or not (I don’t) is irrelevant because customers run scanning tools and demand fixes for any CVE without attempting to understand them.

[rfd4sgmk8u]

So, you either explain to the customer about how the CVE is out of scope in this context due to the various mitigations or lack of exploitability, or you patch it. Every CVE is real, and should be addressed. Your customers pay you to help them understand it.

[Sebguer]

That's fair, but it's not really the fault of MITRE / the CVE database, it's the fact that people have been incentivized to submit these. Similar conversations have come up around how NPM handles vulnerability reports, since they treat all vulnerabilities the same, including very low-risk ones like DoS risks that require control of your build pipeline.

The problem is compounded in cases like Log4j where not even the CVE score can be trusted, or in cases you're describing where end-users don't understand CVE itself and only know it in the context of these 'world-ending' vulnerabilities.

[rfd4sgmk8u]

The CVSS score cannot be trusted? How so? I don't see why any of the log4j CVE's 'cant be trusted'?

[Sebguer]

The third CVE arbitrarily had a score of ~7.5 despite requiring a non-standard configuration and only enabling a denial of service attack. The preceding CVE with the same outcome only warranted a 3.5, until it was shown to also potentially allow an RCE. CVSS is honestly pretty open to interpretation, since it's not a particularly objective set of measures.

[Quekid5]

This one is pretty milquetoast. Clickbait-y title to it, even.