Re: Nessus is labeling the severity as medium

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Every PM should have an exception process where you can give them a statement about why it is not a problem for your application. I expect they are trying to get out of filing paperwork.

Don't let policy get in the way of reality. Back in the days of blockchain being hip there was a thought experiment: You work for a company that uses the blockchain to manage all it's shipments. The blockchain cannot be tampered with so it is accurate. If one day you receive a box the blockchain labeled as "bananas" and it is filled with batteries, what do you do? Do you eat the batteries for potassium? 

On Tue, Apr 4, 2023 at 5:24 PM Michael Mueller <abaci.mjm@xxxxxxxxx> wrote:
CVE-2023-0464 has a base score of 7.5 and base severity of HIGH in the NVD (attached).

That score and the description of the problem are misaligned in my opinion (meaning, I agree with the LOW severity - our app is not affected).

But there are project managers in our organization that use NVD as the reference, and seeing the HIGH, are requiring a 30 day remediation deadline.

Us devs are caught in the middle.

Best regards and thanks for all you do,
Mike Mueller


On Tue, Apr 4, 2023 at 7:06 PM Dr Paul Dale <pauli@xxxxxxxxxxx> wrote:
I was discussing CVE-2023-0466 which seemed to be the relevant one.  Looking again, the table you included isn't overly clear (to me at least) what it's referring to.

Dr Paul Dale

On 5/4/23 09:02, Dr Paul Dale wrote:
We do not have a firm release date for 1.1.1u at this point.  As per our policy, LOW severity CVE are not release triggering and this one is considered LOW severity by the project.  Baring other eventualities, three months is a likely time frame.

I'll note that the issue here was in the documentation and that the fix is purely a documentation change.  This change is already available online on our web site:

    https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html


Dr Paul Dale

On 4/4/23 23:16, Joslin, Jack via openssl-users wrote:
Hello,

When will OpenSSL 1.1.1u be released? 

Tenable indicates the vulnerability severity of 1.1.1t as medium. I found this post indicating that there is no ETA on the release of OpenSSL 1.1.1u and that it may not be released for 3 months.


From Nessus/Tenable scan:

Plugin Plugin Name Severity Plugin Output Solution Risk Factor CVE
173260 OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities Medium Plugin Output:
  Banner           : Apache/2.4.56 (Unix) OpenSSL/1.1.1t mod_perl/2.0.9 Perl/v5.8.8
  Reported version : 1.1.1t
  Fixed version    : 1.1.1u
Upgrade to OpenSSL version 1.1.1u or later. Medium CVE-2023-0464, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466

Regards,
 
Jack Joslin

Business Services Outsourcing Center (BSOC)

General Dynamics, Information Technology

327 Columbia Turnpike, Rensselaer, NY 12144

jack.joslin@xxxxxxxx

m: +1.321.431.5117

Follow us on Facebook | Twitter | LinkedIn

This electronic message transmission contains information from GDIT which may be attorney-client privileged, proprietary or confidential.  The information in this message is intended only for use by the individual(s) to whom it is addressed.  If you believe you have received this message in error, please contact me immediately and be aware that any use, disclosure, copying or distribution of the contents of this message is strictly prohibited. NOTE: Regardless of content, this e-mail shall not operate to bind GDIT to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose

 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux