Re: [dss-x] Re: CVE for DSS spec

[Chet Ensign <chet.ensign@oasis-open.org>]

Hi Andreas,Â

This looks fine to me. By the way, who filed the original CVE? I'm curious to know the sequence of events.Â

Some suggestions:Â

- I recommend that the TC vote to approve the document and ideally that you publish it as a CN so that it fits into the standard deliverables of OASIS TCs. We can whip up a template for you right away.Â

- I agree with putting the warning on the homepage. I suggest under Announcements and under Technical Work Produced by the TC.

- I will also add the notice to the standards download page. The wording can mirror what you use on the homepage.Â

- Can any of the links be added to the CVE record? I would get the doc and proof of concept ready first and then, once those are up, notify MITRE to release the record.Â

By the way, how did the vulnerability come to the TC's attention?Â

/chet

On Wed, Jun 24, 2020 at 4:04 PM akuehne <akuehne@trustable.eu> wrote:

Hi Chet,

sorry, I have to come back to the vulnerability issue again. It's great
that OASIS is working on a policy document helping the TCs to handle
these topics in a professional manner. But an ad-hoc poll in the DSS-X
TC made it obvious that we don't want to wait any longer before
disclosing our vulnerability.

My approch would be to upload a document describing the problem and its
remediation. Additionally I would like to upload a simple
Proof-of-concept snippet to github.
The next step would be mailing to our lists and a prominent message on
TC's homepage describing the problem, a link to the mantioned documentÂ
and PoC, the way to mitigate it in DSS core 1.0 and the confirmation
that the problem is NOT present in DSS-X core 2.0!
The third step is to give Mitre a hint that our CVE can be published.

Do you consider this as a useful way to move forward?

Greetings,

Andreas
> Thanks Andreas - I'll be reviewing those with the committee. We have had
> discussion on those topics - just haven't reached consensus yet.
>
> /chet
>
> On Thu, May 21, 2020 at 5:08 PM Andreas Kuehne <kuehne@trustable.de> wrote:
>
>> Hi Chet,
>>
>> see my comments in Policy document. My major topic is that the
>> complexity of a violnerability of standard (compared with a software
>> flaw) is not addressed:
>>
>> - Who are the stakeholders?
>> - How to contact them?
>> - How to avoid unintended full disclosure by informing vulnerabilty
>> traders?
>>
>> Greetings,
>>
>> Andreas
>>> Andreas, this is really interesting. We have two documents right now:
>>>
>>> - The Vulnerability Handling and Disclosure Policy at
>>>
>> https://docs.google.com/document/d/1Vx-ul_MTenguAmFZKnMS89yEu1YMbvRenJGk0D7N3KI/edit#heading=h.7m6wq9expm3e
>>> - The Vulnerability Handling and Disclosure Process at
>>>
>> https://docs.google.com/document/d/1qxp3EMq8KKq84smrAFyWlnL87oOrPj-kT9dxefjk5Pc/edit#heading=h.7m6wq9expm3e
>>> -
>>> the Process is the document that we'll put on the OASIS public pages to
>>> guide researchers who want to report findings.
>>>
>>> With the link, you can comment. You will see that we have had a lot of
>>> feedback already from members of the Open Projects Advisory Council. Feel
>>> free to add comments if you'd like. The Board Process Committee is
>>> reviewing these now with the intention to send these to the full Board
>> for
>>> review soon.
>>>
>>> So, I want to be sure I understand your situation. I looked at the page
>> on
>>> the Mitre site and I don't get a result for CVE-2020-13101. I see results
>>> for 2019- and 2018-. For 2020- I found "** RESERVED ** This candidate has
>>> been reserved by an organization or individual that will use it when
>>> announcing a new security problem. When the candidate has been
>> publicized,
>>> the details for this candidate will be provided." Is it the TC that made
>>> the reservation?
>>>
>>> Assuming that's the case: that you all discovered a vulnerability,
>>> addressed it, and have reserved the identifier, can you tell me the
>> story?
>>> How did you find out about it, how did you deal with it, etc. etc. This
>> is
>>> a great education for me (and the rest of the committee I'm sure) and can
>>> help me make sure we are putting the right things in place.
>>>
>>> In terms of where to post the notice, that is a great question. I had not
>>> thought about that in detail. Your suggestion makes perfect sense - a
>> link
>>> on the download section and a reference one the TC's home page. We may
>> wind
>>> up needing a Vulnerabilities list somewhere on the OASIS site but for
>> now,
>>> notice on the TC page may be enough.
>>>
>>> In any case, thanks - I'm looking forward to hearing more details.
>>>
>>> /chet
>>>
>>>
>>> On Mon, May 18, 2020 at 11:14 AM Andreas Kuehne <kuehne@trustable.de>
>> wrote:
>>>> Hi Chet,
>>>>
>>>> We (the Board Process Committee to be precise) is working on a process
>>>> document now. I'm happy to share the working draft if you'd like to
>> review
>>>> it.
>>>>
>>>> great! Would be a please or me to do a review!
>>>>
>>>> When you say "file it officially," do you mean that the TC has already
>>>> developed the fix and that you want to announce it in one of the
>>>> vulnerability databases?
>>>>
>>>> Yes, the new version of the DSS-X core does not include the option for
>> the
>>>> attack. And it is pretty forward for users of the version 1 to avoid
>> these
>>>> probems. Just reject the 'inline XML' data transfer option.
>>>>
>>>> I thought of a warning iin the download section loke this
>>>>
>>>> and a corresponding hint on the TC home page.
>>>>
>>>> The vulnerability has the identifier CVE-2020-13101 assigned.
>>>>
>>>>
>>>> Greetings,
>>>>
>>>>
>>>> Andreas
>>>>
>>>> /chet
>>>>
>>>> On Sun, May 17, 2020 at 12:46 PM Andreas Kuehne <kuehne@trustable.de> <
>> kuehne@trustable.de> wrote:
>>>>
>>>> Hi Chet,
>>>>
>>>>
>>>> we already discussed the topic soe time ago: The DSS core V1.0 has a
>>>> vulnerability and we like to file it officially. Is there an official
>>>> OASIS process for it? If not, I would suggest that we add a remark
>>>> including the link to the explaination & mitigation document and the CVE
>>>> at a prominent place on the TC home page and at the standards download
>>>> section.
>>>>
>>>>
>>>> Gretings,
>>>>
>>>>
>>>> Andreas
>>>>
>>>> --
>>>> Andreas KÃhne
>>>>
>>>> Chair of OASIS DSS-X
>>>>
>>>> phone: +49 177 293 24 97
>>>> mailto: kuehne@trustable.de
>>>>
>>>> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659
>>>> Hannover Amtsgericht Hannover HRB 212612
>>>>
>>>> Director Andreas KÃhne
>>>>
>>>> Company UK Company No: 5218868 Registered in England and Wales
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Andreas KÃhne
>>>>
>>>> Chair of OASIS DSS-X
>>>>
>>>> phone: +49 177 293 24 97
>>>> mailto: kuehne@trustable.de
>>>>
>>>> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659
>> Hannover Amtsgericht Hannover HRB 212612
>>>> Director Andreas KÃhne
>>>>
>>>> Company UK Company No: 5218868 Registered in England and Wales
>>>>
>>>>
>> --
>> Andreas KÃhne
>>
>> Chair of OASIS DSS-X
>>
>> phone: +49 177 293 24 97
>> mailto: kuehne@trustable.de
>>
>> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659
>> Hannover Amtsgericht Hannover HRB 212612
>>
>> Director Andreas KÃhne
>>
>> Company UK Company No: 5218868 Registered in England and Wales
>>
>>

--

/chetÂ
----------------

Chet Ensign

Chief Technical Community Steward
OASIS: Advancing open source & open standards for the information society
http://www.oasis-open.org

Mobile: +1 201-341-1393Â