[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-22) Check of CVSSv3 Vector string length limit (including ND as values per optional components)
Stefan Hagen created CSAF-22:
--------------------------------
Summary: Check of CVSSv3 Vector string length limit (including ND as values per optional components)
Key: CSAF-22
URL: https://issues.oasis-open.org/browse/CSAF-22
Project: OASIS Common Security Advisory Framework (CSAF) TC
Issue Type: Task
Reporter: Troy Fridley
Assignee: Stefan Hagen
From Troy's mail:
The one thing that jumped out at me that we need to fix is the updated schema for CVSS v3 Vector string. Section 6.112.2.4 – The element contains a limit of 76 characters. This was sufficient to hold a terminated string with maximum length values for a CVSS v2 Vector. CVSS V3 vectors can be significantly longer. 118 characters for a complete Vector string with values for Base, Temporal, and Environmental. If someone chooses, as is allowed by the spec, to use ND (Not Defined) for all the values for the Temporal and Environmental sections then it can be up to 138 characters. Defacto practice though is to assume ND for any value not supplied in the vector string.
We probably want to increase that limit to 140 characters which leaves 2 bytes for termination or padding if needed. Someone please check my math.
This went into the editor revision 2017-03-24.
Analysis resulting in revised proposal:
I find 117 characters needed (without any end of string marker nor any end of line) for the maximal use case but no "ND" set:
All set (but no ND):
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H
above from NVD
Dito:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H
above from FIRST
Now from spec https://www.first.org/cvss/specification-document 6. Vector table:
len(CVSS:3.0) = 8
max(len(Base)) = 8 * len(/) + len(AVACPRUISCIA) + 8 * len(:) + 8 * 1
max(len(Temporal)) = 3 * len(/) + len(ERLRC) + 3 * len(:) + 3 * 1
max(len(Wnvironmental)) = 11 * len(/) + len(CRIRARMAVMACMPRMUIMSMCMIMA) + 11 * len(:) + 11 * 1
max(VectorV3) = 8 + 8 * (1 + 1 + 1) + 12 + 3 * (1 + 1 + 1) + 5 + 11 * (1 + 1 + 1) + 26 = 117
Good: 117 characters needed (without any end of string marker nor any end of line) for the maximal use case but no "ND" set:
Now with "ND" (for Not Defined in the temooral and environmental instead of leaving them out):
len(CVSS:3.0) = 8
max(len(Base)) = 8 * len(/) + len(AVACPRUISCIA) + 8 * len(:) + 8 * 1
max(len(Temporal)) = 3 * len(/) + len(ERLRC) + 3 * len(:) + 3 * 2
max(len(Wnvironmental)) = 11 * len(/) + len(CRIRARMAVMACMPRMUIMSMCMIMA) + 11 * len(:) + 11 * 2
max(VectorV3ND) = 8 + 8 * (1 + 1 + 1) + 12 + 3 * (1 + 1 + 2) + 5 + 11 * (1 + 1 + 2) + 26 = 131
sample:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:ND/RL:ND/RC:ND/CR:ND/IR:ND/AR:ND/MAV:ND/MAC:ND/MPR:ND/MUI:ND/MS:ND/MC:ND/MI:ND/MA:ND
So there I find 131 characters needed (without any end of string marker nor any end of line) for the maximal use case with "ND" set
So I will correct the XSD schema rule and prose in the next editor revision from 140(138) down to 133(131)
The table (data copied enumerated and denormalized):
Table 15: Base, Temporal and Environmental Vectors
===========================================================================================================
Metric Group Metric Name NameCode Possible Values Mandatory? Sugg.Seq.No
===================+===============================+===========+===================+===========+===========
Base Attack Vector AV [N,A,L,P] Yes 1
Base Attack Complexity AC [L,H] Yes 2
Base Privileges Required PR [N,L,H] Yes 3
Base User Interaction UI [N,R] Yes 4
Base Scope S [U,C] Yes 5
Base Confidentiality C [H,L,N] Yes 6
Base Integrity I [H,L,N] Yes 7
Base Availability A [H,L,N] Yes 8
-------------------+-------------------------------+-----------+-------------------+-----------+-----------
Temporal Exploit Code Maturity E [X,H,F,P,U] No 9
Temporal Remediation Level RL [X,U,W,T,O] No 10
Temporal Report Confidence RC [X,C,R,U] No 11
-------------------+-------------------------------+-----------+-------------------+-----------+-----------
Environmental Confidentiality Req. CR [X,H,M,L] No 12
Environmental Integrity Req. IR [X,H,M,L] No 13
Environmental Availability Req. AR [X,H,M,L] No 14
Environmental Modified Attack Vector MAV [X,N,A,L,P] No 15
Environmental Modified Attack Complexity MAC [X,L,H] No 16
Environmental Modified Privileges Required MPR [X,N,L,H] No 17
Environmental Modified User Interaction MUI [X,N,R] No 18
Environmental Modified Scope MS [X,U,C] No 19
Environmental Modified Confidentiality MC [X,N,L,H] No 20
Environmental Modified Integrity MI [X,N,L,H] No 21
Environmental Modified Availability MA [X,N,L,H] No 22
===================+===============================+===========+===================+===========+===========
===========================================================================================================
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]