Re: Struts2 CVE-2015-5209

[Jeremy Long]

It is not uncommon for the NVD to have `reserved` entries. I'm not 100% sure of their process but it is my understanding that the reserved entries are there waiting on more information/confirmation. Unfortunately, the NVD is the best free source of vulnerability information. There are other sources for manual research such as the OSVDB, or Risk Based Security's VulnDB. There is not API access to the OSVDB, but it would not be hard to alter dependency-check to utilize a datasource like VulnDB - but this would come with a licensing cost.

Commercial tools in the 3rd party vulnerability space that would likely catch these early issues would be SRC:CLR - as they have a research team behind their tool. In fact, I believe they were the original reporter of the re-introduction of this bug (I say re-introduction because I'm pretty sure this is related to WW-3631).

--Jeremy

On Thu, Feb 18, 2016 at 2:00 PM, <bill....@scra.org> wrote:

We were alerted of a vulnerability in our application due to CVE-2015-5209 (an issue with Struts2) via an outside entity. Dependency Check did not pick up this CVE. I reviewed the NVD and CVE websites. NVD does not list this CVE. The CVE web site has a place holder for this CVE. The apache Struts2 project page does list the vulnerability. The same applies for CVE-2015-5169.

 

Is it common for a CVE to be reserved but not completed? Would this be a lapse on Apaches part for not backfilling the CVE DB?

 

Thanks

Bill D.

[Jeremy Long]

Just realized my link to the SRC:CLR detail page was incorrect, please see https://srcclr.com/security/internal-state-manipulation/java/s-1792

Additionally, it wasn't a re-introduction of WW-3631 - but the vulnerability and fix mechanism was related.

--Jeremy

[Jeremy Long]

I believe the OSVDB is still there, but there is no free programatic access to the data. 

Risk Based Security has a great, commercial version, that can be found at https://vulndb.cyberriskanalytics.com/. They've been doing some interesting things and have a ton of vulns that are not in the NVD and RBS is much timelier in getting things posted. Another interesting tool to look at in the commercial space is SRC:CLR - their research teams are doing some very cool work; SRC:CLR has a commercial tool in this space whereas Risk Based Security's VulnDB provides comprehensive vulnerability intelligence data. I am sure there are other tools and data sources in this space that are also doing interesting work - those are just the main two I know of.

--Jeremy 

On Tue, Mar 8, 2016 at 7:33 AM, <bill....@scra.org> wrote:

Jeremy,

 

Thanks for clarification, looks like Apache is lagging a little on the updates. I’ve been reviewing other Vuln DBs to get a feel for what is available. Links to OSVDB from the CVE site are all broken, do you know what has happened to the OSVDB? Their blog is an interesting read, but that is all I can get to on their site.

 

Thanks

Bill

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.