Difference between patch and vulnerability definitions

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Difference between patch and vulnerability definitions

gauravphoenix
I am curious to know if there is any guidance available for OVAL authors on how to classify definitions? For example, the def id 14889 has a class "patch" while its title says "USN-1410-1 -- Linux kernel (EC2) vulnerability". 

In other words, from OVAL perspective, what is the difference between a patch and a vulnerability? 

--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Difference between patch and vulnerability definitions

gauravphoenix
Any thoughts on this?

On Sat, Mar 31, 2012 at 12:46 PM, Gaurav Kumar <[hidden email]> wrote:
I am curious to know if there is any guidance available for OVAL authors on how to classify definitions? For example, the def id 14889 has a class "patch" while its title says "USN-1410-1 -- Linux kernel (EC2) vulnerability". 

In other words, from OVAL perspective, what is the difference between a patch and a vulnerability? 

--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" value="+14256869695" target="_blank">(425)686-9695 




--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Difference between patch and vulnerability definitions

joval
Hi Gaurav,

Can you tell us how these definitions are not sufficient?

http://oval.mitre.org/language/version5.10.1/ovaldir/documentation/oval-common-schema.html#ClassEnumeration

Regards,
--David

On 4/8/2012 5:59 PM, Gaurav Kumar wrote:
Any thoughts on this?

On Sat, Mar 31, 2012 at 12:46 PM, Gaurav Kumar <[hidden email]> wrote:
I am curious to know if there is any guidance available for OVAL authors on how to classify definitions? For example, the def id 14889 has a class "patch" while its title says "USN-1410-1 -- Linux kernel (EC2) vulnerability". 

In other words, from OVAL perspective, what is the difference between a patch and a vulnerability? 

--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a moz-do-not-send="true" href="tel:%28425%29686-9695" value="+14256869695" target="_blank">(425)686-9695 




--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Difference between patch and vulnerability definitions

gauravphoenix
It isn't very clear to me what should be checked for " stated issue". For example, should I check for "whether IIS service is running or not" before I check for vulnerable version of files used by IIS? Does the mere presence of vulnerable files make the system vulnerable? 

On Sun, Apr 8, 2012 at 7:35 PM, David Solin <[hidden email]> wrote:
Hi Gaurav,

Can you tell us how these definitions are not sufficient?

http://oval.mitre.org/language/version5.10.1/ovaldir/documentation/oval-common-schema.html#ClassEnumeration

Regards,
--David


On 4/8/2012 5:59 PM, Gaurav Kumar wrote:
Any thoughts on this?

On Sat, Mar 31, 2012 at 12:46 PM, Gaurav Kumar <[hidden email]> wrote:
I am curious to know if there is any guidance available for OVAL authors on how to classify definitions? For example, the def id 14889 has a class "patch" while its title says "USN-1410-1 -- Linux kernel (EC2) vulnerability". 

In other words, from OVAL perspective, what is the difference between a patch and a vulnerability? 

--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" value="+14256869695" target="_blank">(425)686-9695 




--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" value="+14256869695" target="_blank">(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download




--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Difference between patch and vulnerability definitions

Jon Baker
Administrator

Gaurav,

 

Way back when OVAL started there was a debate about just this issue. It came down to a difference of perspectives. Some felt that a system should be considered vulnerable if there is flawed software on disk. Others felt that a system should be considered vulnerable if there is flawed software on disk and the system configured to run the flawed software.

 

Consider a system with an older vulnerable version of apache installed. A system administrator might turn off the execute permission on the apache binary so that it cannot run. Should we consider this system to be vulnerable or not?

 

The OVAL Language will of course support both perspectives. If you look at some of the older content in the repository you will see a configuration section in the criteria. For example see: oval:org.mitre.oval:def:904, oval:org.mitre.oval:def:213, or oval:org.mitre.oval:def:1530. At the time the community decided to build two distinct sections into definition criteria to allow one to easily parse out what the configuration section and ignore it if you only cared about flawed software on disk.

 

As the repository has evolved we have migrated away from adding in a configuration section.  I believe it is now the norm to simply look at flawed software on disk with a vulnerability definition. As this change occurred, we also pointed out that an easy way to add in the configuration section would be to extend the base vulnerability definition with another definition that adds a configuration check.

 

This is a conversation that played out over several years, but the early discussion should be available in the mailing list archives.

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [mailto:[hidden email]]
Sent: Sunday, April 08, 2012 11:28 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Difference between patch and vulnerability definitions

 

It isn't very clear to me what should be checked for " stated issue". For example, should I check for "whether IIS service is running or not" before I check for vulnerable version of files used by IIS? Does the mere presence of vulnerable files make the system vulnerable? 

On Sun, Apr 8, 2012 at 7:35 PM, David Solin <[hidden email]> wrote:

Hi Gaurav,

Can you tell us how these definitions are not sufficient?

http://oval.mitre.org/language/version5.10.1/ovaldir/documentation/oval-common-schema.html#ClassEnumeration

Regards,
--David



On 4/8/2012 5:59 PM, Gaurav Kumar wrote:

Any thoughts on this?

On Sat, Mar 31, 2012 at 12:46 PM, Gaurav Kumar <[hidden email]> wrote:

I am curious to know if there is any guidance available for OVAL authors on how to classify definitions? For example, the def id 14889 has a class "patch" while its title says "USN-1410-1 -- Linux kernel (EC2) vulnerability". 

 

In other words, from OVAL perspective, what is the difference between a patch and a vulnerability? 

 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" target="_blank">(425)686-9695 

 



 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" target="_blank">(425)686-9695 

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 


To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Difference between patch and vulnerability definitions

gauravphoenix
Thank you for excellent answer. 

On Mon, Apr 9, 2012 at 5:23 AM, Baker, Jon <[hidden email]> wrote:

Gaurav,

 

Way back when OVAL started there was a debate about just this issue. It came down to a difference of perspectives. Some felt that a system should be considered vulnerable if there is flawed software on disk. Others felt that a system should be considered vulnerable if there is flawed software on disk and the system configured to run the flawed software.

 

Consider a system with an older vulnerable version of apache installed. A system administrator might turn off the execute permission on the apache binary so that it cannot run. Should we consider this system to be vulnerable or not?

 

The OVAL Language will of course support both perspectives. If you look at some of the older content in the repository you will see a configuration section in the criteria. For example see: oval:org.mitre.oval:def:904, oval:org.mitre.oval:def:213, or oval:org.mitre.oval:def:1530. At the time the community decided to build two distinct sections into definition criteria to allow one to easily parse out what the configuration section and ignore it if you only cared about flawed software on disk.

 

As the repository has evolved we have migrated away from adding in a configuration section.  I believe it is now the norm to simply look at flawed software on disk with a vulnerability definition. As this change occurred, we also pointed out that an easy way to add in the configuration section would be to extend the base vulnerability definition with another definition that adds a configuration check.

 

This is a conversation that played out over several years, but the early discussion should be available in the mailing list archives.

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [mailto:[hidden email]]
Sent: Sunday, April 08, 2012 11:28 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Difference between patch and vulnerability definitions

 

It isn't very clear to me what should be checked for " stated issue". For example, should I check for "whether IIS service is running or not" before I check for vulnerable version of files used by IIS? Does the mere presence of vulnerable files make the system vulnerable? 

On Sun, Apr 8, 2012 at 7:35 PM, David Solin <[hidden email]> wrote:

Hi Gaurav,

Can you tell us how these definitions are not sufficient?

http://oval.mitre.org/language/version5.10.1/ovaldir/documentation/oval-common-schema.html#ClassEnumeration

Regards,
--David



On 4/8/2012 5:59 PM, Gaurav Kumar wrote:

Any thoughts on this?

On Sat, Mar 31, 2012 at 12:46 PM, Gaurav Kumar <[hidden email]> wrote:

I am curious to know if there is any guidance available for OVAL authors on how to classify definitions? For example, the def id 14889 has a class "patch" while its title says "USN-1410-1 -- Linux kernel (EC2) vulnerability". 

 

In other words, from OVAL perspective, what is the difference between a patch and a vulnerability? 

 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" target="_blank">(425)686-9695 

 



 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" target="_blank">(425)686-9695 

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" value="+14256869695" target="_blank">(425)686-9695 


To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].



--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].