Apereo becomes a CVE Numbering Authority?

[Andrew Petro]

Background:

A Common Vulnerabilities and Exposures Identifier (CVE-ID) uniquely identifies a single security vulnerability in affected versions of a software product. This is very useful for being able to precisely communicate about and collaborate on vulnerabilities. Are you and I talking about the same open redirect vulnerability? It's clearer if they're uniquely identified.

CVE identifiers are issued by CVE Numbering Authorities. It's hierarchical, DNS-style or SSL-cert-style, with a root ("primary") authority delegating scoped responsibility to downstream authorities who can delegate scoped authority to downstream authorities who can... Authorities are allocated namespace in the CVE identifier space so that CNAs do not multiply assign a single identifier, and scopes are non-overlapping to reduce assigning multiple identifiers for a single vulnerability.

The Distributed Weakness Filing (DWF) Project is the catch-all CNA for open source projects not otherwise covered by a CNA. (Major "vendors" such as Apache, Google, Mozilla, Red Hat, Ubuntu are themselves CNAs under the primary authority).

Problem:

I'm losing my mind trying to obtain a CVE-ID for the Web Proxy Portlet over-cache-hitting bug, and other recent attempts to get CVE identifiers for uPortal stuff haven't been much fun or gone well either.

Solution:

Apereo becomes a CVE Naming Authority downstream from the Distributed Weakness Filing Project and then internally follows the CNA Rules to execute on issuing CVE-IDs to Apereo projects.

This worth doing? Apereo would have to marshall some attention and efforts to ongoingly operate this process, to fulfill the rules and to issue our projects CVE-IDs in a timely manner, but it could improve confidence, clarity, consistency, timeliness for the CVE assignment part of responding to security vulnerabilities in Apereo products.

Anyone else have passion for making this happen?

-Andrew

[Jim Helwig]

I think this is the only reasonable action. I am not sure what the cost (in terms of time and effort) is but I support Apereo looking into it. It seems like this would be one of the value propositions of becoming an Apereo project. 

I think having CVEs provides value. In particular, it sets us up for potentially having Apereo projects included in automated scanning tools that look for installed software that has known vulnerabilities. For example, at UW-Madison we are starting to use the scanning of Docker images hosted on docker hub.

+1 for moving forward on this.

Having said that, I ran across this piece advocating for using embargoed CVEs only sparingly: “The hidden cost of embargoes.” Interesting position that the best thing for Open Source projects to do is to deal with most vulnerabilities in the open from the get-go. (Personally, I am not there yet so I would rather be able to get a CVE without full public disclosure. But perhaps we can try to do more resolution in the open.)

JimH

--
You received this message because you are subscribed to the Google Groups "Open" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open+uns...@apereo.org.
To post to this group, send email to op...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/open/.

[Ian Dolphin (apereo)]

I’m interested - particularly in how much “central” time is required and how much is needed by an individual software community.

Individual software communities would need to buy in to this - I don’t see it as something Apereo could or should mandate. Centrally, we would either need to recruit volunteer/s, or stop doing something else. Sorry to be blunt - if this is judged important enough, that’s what we’ll do.

Best

Ian


--
Ian Dolphin
Executive Director, Apereo Foundation


Discover more about Apereo by visiting www.apereo.org or subscribe to our announcements and open discussion lists by sending mail to announcemen...@apereo.org and open+su...@apereo.org

[Andrew Petro]

> I don’t see it as something Apereo could or should mandate.

I agree. Apereo projects would continue to do as they think best in requesting CVE identifiers, or not, and in undertaking security fixes first in secret or in public, or not.

Looks like CAS, for instance, has given up on CVE IDs under current realities.

I'd hope that by driving down frictions in CVE allocation, CAS and other projects would see enough value to opt-in. I'd hope for Apereo's CNA to adopt policies and practices that enable embargoed CVE-IDs, but it'd still be up to projects to determine whether and how long to embargo prior to public disclosure.

If Apereo became the CNA for the scope of Apereo projects, I do think that would mandate that if a project (or anyone else) chooses to request a CVE identifier for an Apereo product, they would make that request of Apereo.

> Centrally, we would either need to recruit volunteer/s

Okay, let take the temperature: suppose we were to invent an Apereo CVE Assignment committee, charged with pursuing Apereo becoming a CNA for its scope, defining and implementing process, practices, artifacts in support of this, and once operational the timely operation of this process to allocate actual CVE IDs.

Who would be willing to serve on such a committee? 

I, for one.

-Andrew

[Ian Dolphin (apereo)]

I’d be happy to sit on the committee/group. I’d also suggest a short piece for the Newsletter, setting out the benefits and encouraging folks to discuss on this list.

Best

Ian
--
Ian Dolphin
Executive Director, Apereo Foundation

ian.d...@apereo.org

Discover more about Apereo by visiting www.apereo.org or subscribe to our announcements and open discussion lists by sending mail to announcemen...@apereo.org and open+su...@apereo.org

[Andrew Petro]

Progress:

DWF has apparently re-constituted the mechanism for tracking interest in becoming CNAs downstream of DWF. Kurt Seifreid reached out to ask that I re-submit an issue to the new tracker, and I have done so.

This registers interest and encourages the possibility of moving forward with Apereo becoming a DNA downstream of DWF, but of course does not commit Apereo to doing so.

-Andrew