Add a guide for creating CVE entries #86
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,189 @@ | ||
| # CVE Creation Guide | ||
| This is a guide to creating a CVE request via Mitre. | ||
| It may be of some use to explain what the CVE fields are looking for with some hints and examples. | ||
|
|
||
| # Creating a CVE Request | ||
|
|
||
| This is an example of how to create a CVE with an older vulnerability from Mojolicious that did not have one previously assigned. | ||
|
There was a problem hiding this comment. Should we use a general example like There was a problem hiding this comment. I can change it it an example but likely should be generic There was a problem hiding this comment. @stigtsp the thing I like about using this example is that it exists and you can review the source info There was a problem hiding this comment. @stigtsp I looked at it but the example is likely best. The point was to give an example that someone could follow There was a problem hiding this comment.
Then please use There was a problem hiding this comment. I use Foo-Bar in the security policy guide. |
||
|
|
||
| * CPANSA-Mojolicious-2018-01 | ||
|
There was a problem hiding this comment. This might muddy the waters a bit, I don't think CPANSA identifiers are relevant for CVEs (except as URL references, but there are currently no way of linking to CPANSA resources) There was a problem hiding this comment. True but it is the specific issue in this example |
||
| Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain. | ||
|
|
||
| Affected range: <7.66 | ||
|
|
||
| CVEs: | ||
|
|
||
| References: | ||
| https://github.com/mojolicious/mojo/pull/1192 | ||
| https://github.com/mojolicious/mojo/issues/1185 | ||
| https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149 | ||
|
|
||
| ## Research the CVE database to ensure it has not been logged previously | ||
|
|
||
| Ensuring that the issue has not been previously logged is very important. | ||
| Duplicate entries will merely serve to confuse the issue and polute the CVE database. | ||
|
|
||
| 1. Access [Mitre.org CVE Search](https://cve.mitre.org/cve/search_cve_list.html) | ||
| 1. Search for various keywords including but not limited to the distribution or module name and any applicable words. | ||
| Review the results | ||
| 1. If the CVE appears to be the correct one it would likely be best to submit an issue containing the CVE number and link to the CVE database to [https://github.com/briandfoy/cpan-security-advisory/issues](https://github.com/briandfoy/cpan-security-advisory/issues) | ||
|
|
||
| ## Access Mitre CVE Form | ||
|
|
||
| 1. Access [Mitre CVE Form](https://cveform.mitre.org/) | ||
| 1. Select a request type: **_Report Vulnerability/Request CVE ID_** | ||
| 1. Enter your e-mail address: **[email protected]_** | ||
|
There was a problem hiding this comment. Authors/reporters should prob use their own email address here and not our list |
||
| 1. Enter a PGP Key (to encrypt): **_Leave blank as the email address is a mailing list_** | ||
| 1. Number of vulnerabilities reported or IDs requested (1-10): **_1_** | ||
|
|
||
| ### Vulnerability Type | ||
| This field may take some research/discussion with the CPAN module maintainer. | ||
| In the case of CPANSA-Mojolicious-2018-01 it mentions *leaks old cookies* so it is fairly obvious that it is _Information Disclosure_ however that is not on the list. | ||
| Options here that look like potentials are: | ||
|
|
||
| 1. Insecure Permissions | ||
| 1. Incorrect Access Control | ||
| 1. Other or Unknown | ||
|
|
||
| According to the [Pull Request](https://github.com/mojolicious/mojo/pull/1192): | ||
|
|
||
| _Mojolicious does not set the cookie domain if it is unset, but instead stores an additional origin parameter to store the original request-host. | ||
| RFC 6265 also requires that cookies without a valid domain set are assigned the domain of their request-host_ | ||
|
|
||
| Based on the lack of a **domain** attribute I would tend to specify **_Insecure Permissions_** | ||
|
|
||
| **_Insecure Permission_** is defined as _"The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor."_ | ||
|
|
||
| In this case the lack of the **domain** attribute exposes the old cookies to the server. | ||
|
|
||
| This is a judgement call so either of the other choices might be okay. | ||
|
|
||
| 1. Vulnerability type: **_Insecure Permissions_** | ||
|
|
||
|
|
||
| ### Vendor of the product(s) | ||
|
|
||
| Here you should specify the maintainer of the module. | ||
| Although you may be requesting CVE IDs for older vulnerabilities you can specify the current maintainer as it does not seem to propogate o the CVE database. | ||
|
|
||
| 1. Vendor of the product(s): **_SRI on CPAN_** | ||
|
|
||
| ### Product | ||
|
|
||
| For some CPAN modules this is fairly simple. | ||
| For others you may need to do some additional research. | ||
| For _CPANSA-Mojolicious-2018-01_ CPAN::Audit lists the vulnerability as **Mojolicious** in the identifier but the description correctly identifies **_Mojo::UserAgent::CookieJar_**. | ||
|
There was a problem hiding this comment. I'd say that in this example There was a problem hiding this comment. Yes, but in the case of a module like this it is specific to a certain part so it may be a case of a vulnerabilit that you are not encountering if you are not using Mojo::UserAgent::CookieJar |
||
| Reviewing [Commit ID](https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149) specified by CPAN::Audit verifies that the **_Mojo::UserAgent::CookieJar_** is the affected component. | ||
|
|
||
| 1. Product: **_Mojo::UserAgent::CookieJar_** | ||
|
|
||
| ### Version | ||
|
|
||
| CPAN::Audit specifies that the _Affected range_ is <7.66. | ||
| Again reviewing the [Commit](https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149) shows that it is tagged in 7.66 and reviewing the [Release for 7.66](https://metacpan.org/release/SRI/Mojolicious-7.66) from metacpan validates this. | ||
|
|
||
| 1. Version: **_before 7.66_** | ||
|
|
||
| ### Has vendor confirmed or acknowledged the vulnerability? | ||
|
|
||
| Some vulnerabilities are the subject of dispute but most of the older vulnerabilities that may be logged are likely acknowledged. | ||
|
|
||
| Please review the available information to make an accurate determination of the vendor/maintainer acknowledgement. | ||
|
|
||
| For _CPANSA-Mojolicious-2018-01_ the [Pull request](https://github.com/mojolicious/mojo/pull/1192) indicates that **SRI** (kraih) states that the module is leaking cookies. | ||
| Further, the actual fix in the [Commit](https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149) acknowledges the security issue. | ||
|
|
||
| 1. Has vendor confirmed or acknowledged the vulnerability?: **_Yes_** | ||
|
|
||
| ### Attack type | ||
|
|
||
| Similar to the vulnerability type above this may take some intuition and research. | ||
| In the case of _CPANSA-Mojolicious-2018-01_ the issue is related to old cookies being inproperly sent to the server. | ||
| This would likely be Remote as defined by: | ||
|
|
||
| _The vulnerability can be exploited through a network. | ||
| The attacker may be either on the adjacent or remote network._ | ||
|
|
||
| 1. Attack type: **_Remote_** | ||
|
|
||
| ### Impact | ||
|
|
||
| Again this may take some intuituion and research but in this case is fairly obvious: | ||
|
|
||
| 1. Impact: **_Information Disclosure_** | ||
|
|
||
| ### Affected component(s) | ||
|
|
||
| This section looks for details on what exactly caused the issue. | ||
| In the case of older issues that have been fixed it is can be fairly easy to extract the affected filenames and other relevant information. | ||
| For _CPANSA-Mojolicious-2018-01_ | ||
|
|
||
| 1. lib/Mojo/Cookie/Response.pm | ||
| 1. lib/Mojo/UserAgent/CookieJar.pm | ||
|
|
||
| The field requires comma separated values: | ||
|
|
||
| 1. Affected component(s): **_lib/Mojo/Cookie/Response.pm, lib/Mojo/UserAgent/CookieJar.pm_** | ||
|
|
||
| ### Attack vector(s) | ||
|
|
||
| The attack vector can be difficult to determine or articulate consisely. | ||
| For _CPANSA-Mojolicious-2018-01_ it is somewhat unclear whether the cookie for site A is leaked to Site B or simply that old cookies are sent to the web server to which you are connecting. | ||
|
|
||
| However, it would seem that connecting to a web server may send old cookie data to that server. | ||
|
|
||
| 1. Attack vector(s): **_Connecting to a web server using a vulnerable version submits information (cookies) that should not have been submitted_** | ||
|
|
||
| ### Suggested description of the vulnerability for use in the CVE | ||
|
|
||
| If you are using CPAN::Audit as the source information you can likely use the information listed there. | ||
| It may also be a good idea to reference the Issue or Pull Request if either of them provide additional relevant information. | ||
|
|
||
|
|
||
| 1. Suggested description of the vulnerability for use in the CVE: | ||
|
|
||
| Consider that this should be useful as an email subject, and searchable. | ||
| The following example roughly matches the de-factor standard formatting for Perl module vulnerabilities. | ||
|
|
||
| **_Mojolicious before 7.66 for Perl has Cross Domain Cookie Leakage in Mojo::UserAgent::CookieJar_** | ||
|
|
||
| - "Mojolicious" is the name of the package and should be first in the description | ||
| - "before 7.66" implies that it has been fixed in later versions | ||
| - "for Perl" identifies this as a perl package, allowing discoverability | ||
| - "Cross Domain Cookie Leakage" is a short description of the vulnerability | ||
| - "Mojo::UserAgent::CookieJar" is the vulnerable component/function inside the package (optional) | ||
|
|
||
|
|
||
| ### Discoverer(s)/Credits | ||
|
|
||
| On occasion, the discoverer and or credit may be disputed. | ||
| It is likely good practice to error on the side of caution and report the facts with references. | ||
| Sometimes a maintainer will specifically credit a reporter or discoverer but mentioning the issue as logged by ... might be best. | ||
| In the case of _CPANSA-Mojolicious-2018-01_ the issue listed in https://github.com/mojolicious/mojo/issues/1185 was logged by @expbbc. | ||
|
|
||
| Interestingly @expbbc did not mention security in the initial issue. | ||
| They did however mention that it might be considered a security issue in the [Pull Request](https://github.com/mojolicious/mojo/pull/1192) | ||
|
|
||
| 1. Discoverer(s)/Credits: **_Paul Robins (@expbbc)_** | ||
|
|
||
| ### Reference(s) | ||
|
|
||
| If you are using CPAN::Audit as the source information it provides reference URLs that can be used here. | ||
timlegge marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| 1. Reference(s): | ||
|
|
||
| **_https://github.com/mojolicious/mojo/pull/1192_** | ||
| **_https://github.com/mojolicious/mojo/issues/1185_** | ||
| **_https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149_** | ||
|
|
||
| ### Additional information | ||
|
|
||
| You can provide additional information that you may have if it is relevant. | ||
|
|
||
| Some possible additional information: | ||
| 1. If the vulnerability is embargoed (not publicly acknowledged or under a non disclosure of some sort) mention it here | ||
|
There was a problem hiding this comment. Also, maybe worth mentioning that a vuln that has been discussed in public is by default public and not embargoed. So References should not be given for anything embargoed |
||
| 1. Potentially reference the year it was discovered if not mentioned elsewhere | ||
|
|
||
| In this example one could mention the year | ||
|
|
||
| 1. Additional information: **_This vulnerability was reported and patched in 2018_** | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have moved the files around since this was made; Better update the link to the new location? (
docs/guides/cve-creation-guide.md)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merging the main branch into this one should work with a little tweaking.