[tptacek]

The purpose of CVEs is to ensure that people discussing vulnerabilities are talking about the same thing. CVEs aren't a checklist, they aren't a perfect enumeration, and it shouldn't matter if a CVE is issued for a nonissue.

People who are burdened by requirements to ship (or produce rolling updates) to address every Linux kernel CVE are living in a state of sin. It doesn't make sense for the kernel CNA to alter its behavior to accommodate them.

[roenxi]

My first thought on reading "cybersecurity regulations" was whether this was going to be the EU at the root cause again. The legislation mentioned in the article seems to be 2x EU instruments.

The problem here seems to be fear over how EU legislators and judges will interpret CVEs more than anything the kernel is doing. Looks like a complex and legally risky situation; good luck to the EU devs, hope it stays as a theoretical concern. I imagine common sense will prevail and the law will be interpreted the sensible way.

[graemep]

One possible solution is for people in the EU to set up their own triaging system to triage Linux CVEs (and other CVEs, and maybe other sources of info) in line with EU law. There should be enough people affected willing to find something like this.

I am not clear how the law affects people outside the EU whose software is distributed in the EU (including open source software that is not covered by the exemptions).

>I imagine common sense will prevail and the law will be interpreted the sensible way.

I hope it will, but I would hate to be in the position of having to depend on that.

[tracker1]

Largely my thought as well. Not having a kennel CNA would be far more problematic than the approach outlined for the Kernel CNA team.

Also if interpreted correctly it should help mitigate legal risks for EU companies that rely on Linux that update regularly.

[tsujamin]

It does matter, because they are inputs into other processes, and the signal to noise has gone down. There’ll be a lot more time wasted in orgs triaging non-security-relevant bugs in the future.

[Macha]

> There’ll be a lot more time wasted in orgs triaging non-security-relevant bugs in the future.

The security team instituting those processes only have themselves to blame.

Have had to deal with too many rapid Jackson updates for "if you turn on the insecure mode that nobody turns on that lets the client specify the classes to instantiate and the documentation warns you about and requires a code change to enable, and include library X, then there's a new gadget that does RCE".

[tracker1]

Not to mention DevSecOps that only know enough to run certain tools but not understand enough that certain flags don't apply because the canned test doesn't work the same as your app.

In my specific example /auth was reverse procured to a completely separate app, and /auth/login/bad wouldn't show the same content as / ... And even after explaining their test is invalid they still escalate rather than fixing or removing that test. Leaving me to explain 3 more times asking the way.

[tptacek]

It does not matter, because the signal was never there or meant to be there to begin with. CVEs solve a problem of multiple researchers and developers talking past each other about the same vulnerability (or vulnerable subsystem or line of code). It has never been a reliable enumeration of vulnerabilities. Organizations triaging CVEs line-by-line are abusing the system. The system should not bend itself to accommodate that abuse; that just harms everybody else who isn't abusing it.

[arp242]

This reminds me a little bit of the people saying things like "actually, Java is not "True Object Oriented™* because it's not about messaging like in Smalltalk", and things like that. Well, okay, fine, but it seems undisputable that the phrase "Object Oriented" is used to describe OOP as implemented in Java. When millions of people understand a term "wrong", then that becomes "correct" on virtue of it being so widely used. I mean, modern English is just old English spoken badly by Vikings and Normans, right?

That's kind of how things work, and not much you or I can do about it.

So we need to think about "What is practical?" and "what is useful?", keeping these realities in mind, rather than insisting on "this is what it was meant to be".

Personally I think a good start would be to rethink the entire messaging and list them as "high impact bugs you probably want to get fixed ASAP", or something along those lines, rather than "security bugs". This should avoid the whole security wankery with memory issues that perhaps maybe possibly could perhaps someday lead a possible exploit maybe.

[tptacek]

CVEs are categorically not "high impact bugs you probably want to get fixed ASAP". If you want that, make a new enumeration.

[gnfargbl]

They're also, equally categorically, not "a list of every bug in every system." If you want that, make a new enumeration.

As 'arp242 says, we need to consider what is useful. Pretending that all CVEs are severe and must be addressed immediately is not useful. Spamming the CVE database with every bug in your tracker is not useful.

Replacing CVEs (and CPEs, which are equally terrible) with something new would be extremely helpful. My question is, who funds that work? NIST currently appear to have NVD resourcing issues, based on the banner on their website.

[orf]

> When millions of people understand a term "wrong", then that becomes "correct" on virtue of it being so widely used

[Macha]

I don't think this applies here. People literally agree that CVEs are the identifiers beginning with CVE-xxxx published by CNAs. They don't for example, think they're ticket numbers from the Apache bug tracker. The fact that they use them as if the criteria for publishing a CVE was more rigid, doesn't actually make that criteria more rigid.

[tsujamin]

you’re missing the CVSS aspect which is intrinsically tied to CVE issuance (atleast when issued through the CNA-LR). It’s not _just_ an identifier, it’s a entirely valid and useful tool of triage and classification

[lokar]

For me, CVSS and the people who use it lost all credibility when they asked my team for a urgent update to patch… a pcmcia bug in the kernel of our EC2 instances.

[tptacek]

It's so easy to come up with stories about this that you don't really even need examples. I think everybody just sort of understands that if you put CVSS to the test, it would be ludicrously easy to stack two 8.0+ vulnerabilities next to each other with wildly different severity.

[tptacek]

CVSS is a Ouija board. Nobody takes it seriously. It was also introduced long after CVEs were. And even if it was meaningful --- it isn't, but stipulate --- it wouldn't change the fundamental point of CVEs.

[tsujamin]

CVSS as practiced sucks sometimes, the rules around not chaining vulnerabilities to up a score are rarely followed, but as specified it’s actually a good system.

Undercutting my own point though, it doesn’t hurt to rerun a calculation if you think the public vectors is “lacking” or if temporal/environmental metrics matter in your context

[tptacek]

I would be interested in seeing a professional vulnerability researcher of any note jumping in here to make a defense of CVSS. I'd rebut, respectfully, if they did. But I don't expect it to happen, despite that there are plenty of researchers on HN.

I feel like I'm on reasonably safe ground when I say that my take on CVSS is a mainstream one in the field.

[worthless-trash]

Where is upstreams CVSS score ?

[gnfargbl]

Let's continue your reductive line of thinking. If the only purpose is to ensure that developers are talking about the same issue, then why does the kernel need need CVEs at all? Their existing bug tracking mechanisms should be entirely adequate, no?

[pdonis]

In the 2019 article that is linked to in the LWN article posted upthread, that's exactly what Greg Kroah-Hartman suggested: use the change ID that the Linux kernel is already using as a vulnerability identifier.

Unfortunately, it does not appear that that proposal gained traction, since it's not discussed at all in the more recent LWN article.

[saagarjha]

Some platforms do in fact do this. If you run the entire stack, more power to you. But the kernel is forked by a hundred different people and everyone has their own bug trackers for that, so having an identifier for a security bug is actually useful to unify those.

[gnfargbl]

I would have no problem at all with the kernel developers introducing the concept of a "universal bug identifier," and developing a system for cataloguing and managing those UBIDs. I would also have no issue with CVEs being replaced by a set of flags on those UBIDs, which people could take notice of or ignore as they saw fit.

I do have a problem with the kernel devs attempting to burn down the only system we presently have, however terrible it is, and with HN justifying the bonfire on the basis that CVEs were always broken anyway.

[tptacek]

"Universal bug identifier" is precisely the point of CVE. They're not "broken" anymore than a WONTFIX bug is.

[pdonis]

> the signal to noise has gone down

As far as I can tell, the signal to noise has only "gone down" in the sense of "from really low to really, really low".

> There’ll be a lot more time wasted in orgs triaging non-security-relevant bugs in the future

It seems to me that even before this change there was a lot of time wasted in orgs triaging non-security-relevant bugs, because CVEs didn't carry much useful information before.

[mike_d]

> because they are inputs into other processes

CVEs should never be the input to anything except a triage pipeline, which in turn feeds other processes. If you don't have a competent pair of eyeballs (either internally or from a vendor) looking at CVEs with the context of how the impacted product is used in your organization, all you are doing is busy work.

Almost all end user organizations (not software vendors, OS distributors, etc) should pretend CVEs don't exist. Blindly apply all your OS and software patches within 24 hours of them being available and be done with it. You are much more likely to suffer a business loss as the result of a vulnerability than you are a patch application.

[amluto]

I think I agree. Erring in the direction of too many CVEs means that people trying to get bug fixes rolled out won’t need to deal with the dreaded “ok, we understand the problem, but we can’t actually fix it in our systems until it has a CVE” that comes all too often from distributors.