Contrib.social

Unsuported Modules: Establish timeline for publishing of vulnerability info to allow for possible CVE creation

Open on Drupal.org β†’
Created on 21 December 2024, 4 months ago

Problem/Motivation

In πŸ“Œ Create CVEs for contributed projects in 2024 Active the subject of how to deal with modules marked Unsupported was raised as we can't publish a CVE as just "unsupported module" we need the details to create formal CVE records.

One suggestion was

Hard code a time limit that unsupported modules must be disclosed to allow a CVE to be generated.

Which appeared to have initial acceptance as a possible solution.

Steps to reproduce

N/A

Proposed resolution

Amend:
https://www.drupal.org/drupal-security-team/becoming-primary-maintainer-... β†’ to make the information publicly available for inclusion in CVE's.

- if the security issue is not resolved within this period, the Drupal security team may publish the details publicly. 
+ if the security issue is not resolved within this period, the Drupal security team will publish the details publicly and issue a CVE if eligible.

- Once the issue is fixed the security team will not issue a second SA for the module, instead the existing SA will be updated to indicate the module is now secure. 
+ Once the issue is fixed the security team will not issue a second SA for the module, instead the existing SA will be updated to indicate the module is now secure. If eligible a CVE will be published with the vulnerability details.

Remaining tasks

Decide if the current 30 day timeline used for 'may' is acceptable for 'will/must'

User interface changes

API changes

Data model changes

πŸ“Œ Task
Status

Active

Version

1.0

Component

Documentation

Created by

πŸ‡ΊπŸ‡ΈUnited States cmlara

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @cmlara
  • Comment 25 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    I was mistaken. On further research, it's possible to create CVEs without specifying the CWE/CAPEC/risk score, so the title and some of the description could be updated to reflect that. It may be desirable for some to know that information.

    After gathering opinions from a few places, I think this could be marked as "won't fix."

  • Comment 25 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    it's possible to create CVEs without specifying the CWE/CAPEC/risk score, so the title and some of the description could be updated to reflect that. It may be desirable for some to know that information.

    Can you clarify what you are trying to say? You want this issues title updated? Or do you mean that that the title for modules previously published as "unsupported module" should be updated?

  • Comment 25 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Sorry if my update was confusing.

    The title is currently:

    Unsuported Modules: Establish timeline for publishing of vulnerability info to allow for possible CVE creation

    But I think it should be:

    Unsuported Modules: Establish timeline for publishing of vulnerability info

    The motivation to release the information should be separated from publishing CVEs. Then the issue summary needs a pretty significant rewrite to explain the value and motivation for publishing the information.

    Alternately, this could be closed as "won't fix" or maybe "outdated" since the information is not required for CVEs.

  • Comment 25 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    The motivation to release the information should be separated from publishing CVEs.

    CNA rules
    5.1.7 a CVE MUST identify the type of Vulnerability.
    5.1.1 SHOULD contain sufficient information to uniquely identify the Vulnerability and distinguish it from similar Vulnerabilities.

    5.1.7 is the one that likely puts us at most risk It requires we disclose at least a vulnerability type in the CVE. We can get away with just saying a basic (sample I have not looked at this particular advisory lately) "Remote Code exploit", "XSS" , "Authentication Bypass" or other similar category to maintain that compliance, however even to do that we have to disclose that specific bit of information which should likely be done under D.O. coordinating its disclosure of more details (why hide on the D.O. SA that it is a specific type when an attacker can go to the CVE to find that out).

    5.1.1, we need to have a very good reason to refute why we do not align ourselves with what we are instructed that we should do. Will the CNA loose its contract for failing to comply with a should, no, will they loose respect in the industry, possibly, will they waste other organizations resources, likely.

    We published sa-contrib-2024-075 as an unsupported module with CVE-2024-13311. This report does not appear to uniquely identify the vulnerability or indicate vulnerability type.

    Looking at the enrichment data for CVE-2024-13311 if I am reading it correctly it appears that CISA was unable to provide full enrichment due to "not enough information".

    Being flagged as "not enough information" should itself be a warning to us that we need to work on our disclosure process.

  • Comment 25 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Thanks for that research and advice. I'll have to read it and consider and encourage others to as well.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024