FW: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

FW: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

drothenberg

All,

We had this issue come up with an OVAL submission recently dealing with the correct CPE reference to use for Java checks. I was wondering if anyone on this list might be able to weigh in on the proper way to handle something like this case? To summarize: We have OVAL inventory definitions for both cpe:/a:oracle:jre and cpe:/a:sun:jre. Should all previous sun:jre checks be updated, or should we separate the checking of JRE existence into a set of Sun CPE versions and Oracle CPE versions? If the second option is the best method, where would the version threshold occur?

 

Thanks,

David Rothenberg

 

From: Shane Shaffer [mailto:[hidden email]]
Sent: Thursday, August 09, 2012 4:43 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

 

That's an interesting question. I had not noticed the difference in CPEs, so I didn't consider it. The difference actually makes this more problematic, if we want to be precise. Arguably neither def:11627 nor def:14733 are correct checks for the listed CPE, as both definitions would find both the Sun and Oracle releases. An older release, under the Sun name, potentially should not be reported as the Oracle CPE, nor should a newer release under the Oracle name be reported as the Sun CPE.  We know that it is the same product, it is really is the same thing, but depending on release the CPE may be a little bit misleading. Interestingly, the product element in the metadata of def:11627 is Oracle Java SE, and it appears that it always has been that value, despite the CPE including Sun (and the Oracle acquisition of Sun was well before def:11627 was first created).

 

If we wanted to be precise to the CPEs we would have to include version checking, and would have to figure out what version draws the line. Unfortunately I don't know that there is a reliable indicator other than the version, and the version is even a little complex. For example, it was in 1.6.0_21 that the JRE was rebranded to Oracle. This included updating the Company field on java.exe from "Sun Microsystems, Inc." to "Oracle", which caused problems with Eclipse and other applications. So a new build was quickly released from 1.6.0_21 (going from build number b06 to b07) that reverted back to "Sun Microsystems, Inc". It looks like they kept the Sun name and digital signature on all the 1.6 versions, but with 1.7 moved to Oracle. So does it become an Oracle product with 1.6.0_21 or not? Perhaps more importantly, does this level of precision even matter?

 

So I think I'm now thoroughly conflicted on what I think the right answer is, and I don't know what to recommend.

 

Shane

 

On Thu, Aug 9, 2012 at 3:14 PM, Rothenberg, David B. <[hidden email]> wrote:

Shane,

This submission has been processed and is currently available in the OVAL Repository for further review. The static downloads page will reflect this shortly. I had one question about your choice of updating those 11 definitions to point to def:11627 and deprecating def:14733. I recognize that the def:11627 is referenced by more OVAL definitions than the def:14733 and that they contain almost identical content, however wouldn’t the def:14733 have a more accurate CPE given Oracle’s acquisition of Java? I have processed the submission as-is so that all the JRE checks were consistent, but let me know if it makes more sense to either change the check back to def:14733, or update the CPE of def:11627. I will hold off on the deprecation of def:14733 for now.

 

Thanks,

David Rothenberg

 

Reply | Threaded
Open this post in threaded view
|

Re: [External] [CPE-DISCUSSION-LIST] FW: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

McCormick, Christopher [USA]
David, 

  The NVD had been struggling with this same issue for some time and here are some notes relating to our decisions on how to handle the matter.  In a nutshell, the older names released under Sun will stay and any new version will be instantiated as Oracle.  The "threshold" we recognized was right at Java 6 (1.6.0) Update 22, but upon further review of the release notes for Java 6 Update 21, it does look like that is when the "rebranding" took place.  My guess is the names for cpe:/a:sun:jre:1.6.0:update_21 and cpe:/a:sun:jdk:1.6.0:update_21 were instantiated in the Dictionary prior to full review of the release notes from the vendor (which may not have been available right away from Oracle).

 Perhaps a deprecation for 1.6.0 Update 21 is in order of those two names moving 'sun' to 'oracle' per: http://www.oracle.com/technetwork/java/javase/6u21-156341.html.  That can be done, no problem, since we have documentation from the vendor that substantiates that potential change.  Feel free to email us at NIST at [hidden email] to process if that is what you'd like done.

The key point point we made to our analysis team at the NVD is that when Oracle releases any further updates to ANY version of Java (JDK or JRE), all future names should be created using the cpe:/a:oracle:jdk or cpe:/a:oracle:jre URI structure.

I hope the rest of this helps a little bit at least from the NVD perspective.


·         Java 4 (1.4.2)

·         Java 5 (1.5.0)

·         Java 6 (1.6.0)

·         Java 7 (1.7.0)

 

Java 4 (1.4.2 of JDK and JRE) through update 36 are contained in the Dictionary as – cpe:/a:sun:jdk:1.4.2 and cpe:/a:sun:jre:1.4.2.  The individual update CPEs for this version line are cpe:/a:sun:jdk:1.4.2_1 and cpe:/a:sun:jre:1.4.2_1 upwards to _36

 

CPE Dictionary Search Engine results for JDK 1.4.2: http://web.nvd.nist.gov/view/cpe/search/results?page_num=0&searchText=JDK+1.4.2&includeDeprecated=false

CPE Dictionary Search Engine results for JRE 1.4.2: http://web.nvd.nist.gov/view/cpe/search/results?page_num=0&searchText=JRE+1.4.2&includeDeprecated=false

 

Java 5 (1.5.0 of JDK and JRE) through update 31 are contained in the Dictionary as – cpe:/a:sun:jdk:1.5.0 and cpe:/a:sun:jre:1.5.0.  The individual update CPEs for this version line are cpe:/a:sun:jdk:1.5.0:update1 and cpe:/a:sun:jre:1.5.0:update1 upwards to update31.

 

CPE Dictionary Search Engine results for JDK 1.5.0: http://web.nvd.nist.gov/view/cpe/search/results?page_num=0&searchText=JDK+5.0&includeDeprecated=false

CPE Dictionary Search Engine results for JRE 1.5.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JRE+5.0

 

 

Java 6 (1.6.0 JDK/JRE) through Update 21 (1.6.0:update_21) are under the old Sun Java structure and will remain in official capacity as  - cpe:/a:sun:jdk:1.6.0

 

CPE Dictionary Search Engine results for all JDK 1.6.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JDK+6.0

CPE Dictionary Search Engine results for all JRE 1.6.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JRE+6.0

 

 

Java 6 (1.6.0 JDK/JRE) Update 22 (1.6.0:update_22) through the most current release of Update 31 are in the new Oracle vendor structure.  This is because these versions after update 22 were released by Oracle and not Sun - cpe:/a:oracle:jdk:1.6.0 and cpe:/a:oracle:jre:1.6.0

 

CPE Dictionary Search Engine results for Oracle JDK 1.6.0 Update 22 to current: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&searchText=cpe%3A%2Fa%3Aoracle%3Ajdk%3A1.6.0

CPE Dictionary Search Engine results for Oracle JRE 1.6.0 Update 22 to current: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&searchText=cpe%3A%2Fa%3Aoracle%3Ajre%3A1.6.0

 

 

Java 7 (1.7.0 JDK/JRE) CPEs have been instantiated in the Dictionary as the only vendor that released these versions, Oracle - cpe:/a:oracle:jdk:1.7.0 and cpe:/a:oracle:jre:1.7.0

 

CPE Dictionary Search Engine results for all JDK 1.7.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JDK+7.0

CPE Dictionary Search Engine results for all JRE 1.7.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JRE+7.0

 

 

Chris





From: Rothenberg, David B. [[hidden email]]
Sent: Thursday, August 16, 2012 1:48 PM
To: [hidden email]
Subject: [External] [CPE-DISCUSSION-LIST] FW: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

All,

We had this issue come up with an OVAL submission recently dealing with the correct CPE reference to use for Java checks. I was wondering if anyone on this list might be able to weigh in on the proper way to handle something like this case? To summarize: We have OVAL inventory definitions for both cpe:/a:oracle:jre and cpe:/a:sun:jre. Should all previous sun:jre checks be updated, or should we separate the checking of JRE existence into a set of Sun CPE versions and Oracle CPE versions? If the second option is the best method, where would the version threshold occur?

 

Thanks,

David Rothenberg

 

From: Shane Shaffer [mailto:[hidden email]]
Sent: Thursday, August 09, 2012 4:43 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

 

That's an interesting question. I had not noticed the difference in CPEs, so I didn't consider it. The difference actually makes this more problematic, if we want to be precise. Arguably neither def:11627 nor def:14733 are correct checks for the listed CPE, as both definitions would find both the Sun and Oracle releases. An older release, under the Sun name, potentially should not be reported as the Oracle CPE, nor should a newer release under the Oracle name be reported as the Sun CPE.  We know that it is the same product, it is really is the same thing, but depending on release the CPE may be a little bit misleading. Interestingly, the product element in the metadata of def:11627 is Oracle Java SE, and it appears that it always has been that value, despite the CPE including Sun (and the Oracle acquisition of Sun was well before def:11627 was first created).

 

If we wanted to be precise to the CPEs we would have to include version checking, and would have to figure out what version draws the line. Unfortunately I don't know that there is a reliable indicator other than the version, and the version is even a little complex. For example, it was in 1.6.0_21 that the JRE was rebranded to Oracle. This included updating the Company field on java.exe from "Sun Microsystems, Inc." to "Oracle", which caused problems with Eclipse and other applications. So a new build was quickly released from 1.6.0_21 (going from build number b06 to b07) that reverted back to "Sun Microsystems, Inc". It looks like they kept the Sun name and digital signature on all the 1.6 versions, but with 1.7 moved to Oracle. So does it become an Oracle product with 1.6.0_21 or not? Perhaps more importantly, does this level of precision even matter?

 

So I think I'm now thoroughly conflicted on what I think the right answer is, and I don't know what to recommend.

 

Shane

 

On Thu, Aug 9, 2012 at 3:14 PM, Rothenberg, David B. <[hidden email]> wrote:

Shane,

This submission has been processed and is currently available in the OVAL Repository for further review. The static downloads page will reflect this shortly. I had one question about your choice of updating those 11 definitions to point to def:11627 and deprecating def:14733. I recognize that the def:11627 is referenced by more OVAL definitions than the def:14733 and that they contain almost identical content, however wouldn’t the def:14733 have a more accurate CPE given Oracle’s acquisition of Java? I have processed the submission as-is so that all the JRE checks were consistent, but let me know if it makes more sense to either change the check back to def:14733, or update the CPE of def:11627. I will hold off on the deprecation of def:14733 for now.

 

Thanks,

David Rothenberg

 

Reply | Threaded
Open this post in threaded view
|

Re: [External] [CPE-DISCUSSION-LIST] FW: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

steveklos
As an FYI, the approach documented by Chris is exactly what TagVault.org and SWID tags are working to promote.

Cheers,

SK
408.202.1900
--
Sent from a mobile device. Please excuse brevity and typos.

"Mccormick, Christopher [USA]" <[hidden email]> wrote:
David, 

  The NVD had been struggling with this same issue for some time and here are some notes relating to our decisions on how to handle the matter.  In a nutshell, the older names released under Sun will stay and any new version will be instantiated as Oracle.  The "threshold" we recognized was right at Java 6 (1.6.0) Update 22, but upon further review of the release notes for Java 6 Update 21, it does look like that is when the "rebranding" took place.  My guess is the names for cpe:/a:sun:jre:1.6.0:update_21 and cpe:/a:sun:jdk:1.6.0:update_21 were instantiated in the Dictionary prior to full review of the release notes from the vendor (which may not have been available right away from Oracle).

 Perhaps a deprecation for 1.6.0 Update 21 is in order of those two names moving 'sun' to 'oracle' per: http://www.oracle.com/technetwork/java/javase/6u21-156341.html.  That can be done, no problem, since we have documentation from the vendor that substantiates that potential change.  Feel free to email us at NIST at [hidden email] to process if that is what you'd like done.

The key point point we made to our analysis team at the NVD is that when Oracle releases any further updates to ANY version of Java (JDK or JRE), all future names should be created using the cpe:/a:oracle:jdk or cpe:/a:oracle:jre URI structure.

I hope the rest of this helps a little bit at least from the NVD perspective.


·         Java 4 (1.4.2)

·         Java 5 (1.5.0)

·         Java 6 (1.6.0)

·         Java 7 (1.7.0)

 

Java 4 (1.4.2 of JDK and JRE) through update 36 are contained in the Dictionary as – cpe:/a:sun:jdk:1.4.2 and cpe:/a:sun:jre:1.4.2.  The individual update CPEs for this version line are cpe:/a:sun:jdk:1.4.2_1 and cpe:/a:sun:jre:1.4.2_1 upwards to _36

 

CPE Dictionary Search Engine results for JDK 1.4.2: http://web.nvd.nist.gov/view/cpe/search/results?page_num=0&searchText=JDK+1.4.2&includeDeprecated=false

CPE Dictionary Search Engine results for JRE 1.4.2: http://web.nvd.nist.gov/view/cpe/search/results?page_num=0&searchText=JRE+1.4.2&includeDeprecated=false

 

Java 5 (1.5.0 of JDK and JRE) through update 31 are contained in the Dictionary as – cpe:/a:sun:jdk:1.5.0 and cpe:/a:sun:jre:1.5.0.  The individual update CPEs for this version line are cpe:/a:sun:jdk:1.5.0:update1 and cpe:/a:sun:jre:1.5.0:update1 upwards to update31.

 

CPE Dictionary Search Engine results for JDK 1.5.0: http://web.nvd.nist.gov/view/cpe/search/results?page_num=0&searchText=JDK+5.0&includeDeprecated=false

CPE Dictionary Search Engine results for JRE 1.5.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JRE+5.0

 

 

Java 6 (1.6.0 JDK/JRE) through Update 21 (1.6.0:update_21) are under the old Sun Java structure and will remain in official capacity as  - cpe:/a:sun:jdk:1.6.0

 

CPE Dictionary Search Engine results for all JDK 1.6.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JDK+6.0

CPE Dictionary Search Engine results for all JRE 1.6.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JRE+6.0

 

 

Java 6 (1.6.0 JDK/JRE) Update 22 (1.6.0:update_22) through the most current release of Update 31 are in the new Oracle vendor structure.  This is because these versions after update 22 were released by Oracle and not Sun - cpe:/a:oracle:jdk:1.6.0 and cpe:/a:oracle:jre:1.6.0

 

CPE Dictionary Search Engine results for Oracle JDK 1.6.0 Update 22 to current: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&searchText=cpe%3A%2Fa%3Aoracle%3Ajdk%3A1.6.0

CPE Dictionary Search Engine results for Oracle JRE 1.6.0 Update 22 to current: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&searchText=cpe%3A%2Fa%3Aoracle%3Ajre%3A1.6.0

 

 

Java 7 (1.7.0 JDK/JRE) CPEs have been instantiated in the Dictionary as the only vendor that released these versions, Oracle - cpe:/a:oracle:jdk:1.7.0 and cpe:/a:oracle:jre:1.7.0

 

CPE Dictionary Search Engine results for all JDK 1.7.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JDK+7.0

CPE Dictionary Search Engine results for all JRE 1.7.0: http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&searchText=JRE+7.0

 

 

Chris





From: Rothenberg, David B. [[hidden email]]
Sent: Thursday, August 16, 2012 1:48 PM
To: [hidden email]
Subject: [External] [CPE-DISCUSSION-LIST] FW: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

All,

We had this issue come up with an OVAL submission recently dealing with the correct CPE reference to use for Java checks. I was wondering if anyone on this list might be able to weigh in on the proper way to handle something like this case? To summarize: We have OVAL inventory definitions for both cpe:/a:oracle:jre and cpe:/a:sun:jre. Should all previous sun:jre checks be updated, or should we separate the checking of JRE existence into a set of Sun CPE versions and Oracle CPE versions? If the second option is the best method, where would the version threshold occur?

 

Thanks,

David Rothenberg

 

From: Shane Shaffer [mailto:[hidden email]]
Sent: Thursday, August 09, 2012 4:43 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] [OVAL-DEVELOPER-LIST] Issue with the OVAL Definition - oval:org.mitre.oval:def:15075 (CVE-2012-0498)

 

That's an interesting question. I had not noticed the difference in CPEs, so I didn't consider it. The difference actually makes this more problematic, if we want to be precise. Arguably neither def:11627 nor def:14733 are correct checks for the listed CPE, as both definitions would find both the Sun and Oracle releases. An older release, under the Sun name, potentially should not be reported as the Oracle CPE, nor should a newer release under the Oracle name be reported as the Sun CPE.  We know that it is the same product, it is really is the same thing, but depending on release the CPE may be a little bit misleading. Interestingly, the product element in the metadata of def:11627 is Oracle Java SE, and it appears that it always has been that value, despite the CPE including Sun (and the Oracle acquisition of Sun was well before def:11627 was first created).

 

If we wanted to be precise to the CPEs we would have to include version checking, and would have to figure out what version draws the line. Unfortunately I don't know that there is a reliable indicator other than the version, and the version is even a little complex. For example, it was in 1.6.0_21 that the JRE was rebranded to Oracle. This included updating the Company field on java.exe from "Sun Microsystems, Inc." to "Oracle", which caused problems with Eclipse and other applications. So a new build was quickly released from 1.6.0_21 (going from build number b06 to b07) that reverted back to "Sun Microsystems, Inc". It looks like they kept the Sun name and digital signature on all the 1.6 versions, but with 1.7 moved to Oracle. So does it become an Oracle product with 1.6.0_21 or not? Perhaps more importantly, does this level of precision even matter?

 

So I think I'm now thoroughly conflicted on what I think the right answer is, and I don't know what to recommend.

 

Shane

 

On Thu, Aug 9, 2012 at 3:14 PM, Rothenberg, David B. <[hidden email]> wrote:

Shane,

This submission has been processed and is currently available in the OVAL Repository for further review. The static downloads page will reflect this shortly. I had one question about your choice of updating those 11 definitions to point to def:11627 and deprecating def:14733. I recognize that the def:11627 is referenced by more OVAL definitions than the def:14733 and that they contain almost identical content, however wouldn’t the def:14733 have a more accurate CPE given Oracle’s acquisition of Java? I have processed the submission as-is so that all the JRE checks were consistent, but let me know if it makes more sense to either change the check back to def:14733, or update the CPE of def:11627. I will hold off on the deprecation of def:14733 for now.

 

Thanks,

David Rothenberg