CVE-less vulnerabilities

Posted Jun 26, 2019 21:20 UTC (Wed) by rweikusat2 (subscriber, #117920)
Parent article: CVE-less vulnerabilities

Many people I have to deal with are absolutely paranoid wrt updates. This includes one entity which chose to rather keep a known remote DoS with a trivial fix than allow that trivial fix to be installed.

CVE-less vulnerabilities

Posted Jun 27, 2019 9:36 UTC (Thu) by ssiccha (guest, #131965) [Link] (1 responses)

Sounds like that entity was not at all able to assess whether the change was trivial or not.

CVE-less vulnerabilities

Posted Jun 27, 2019 12:27 UTC (Thu) by rweikusat2 (subscriber, #117920) [Link]

Well, obviously not. But even when disregarding compatibility issues or the mere fact that updating something needs a certain amount of time people aren't necessarily allowed to spend on that, "just make them all run the latest version" is not going to fly.

CVE-less vulnerabilities

Posted Jun 27, 2019 22:18 UTC (Thu) by nilsmeyer (guest, #122604) [Link]

I think this is a very common pattern simply because there often aren't any consequences to running vulnerable software. In some environments malfunctions are so common that it's hard to discern them from an attack. The risks can even be insured at reasonable rates.

Trivial fixes might not be trivial

Posted Jun 28, 2019 3:01 UTC (Fri) by dps (guest, #5725) [Link]

In a former life I maintained a something based on a way out of security support version of RHEL. Even the most trivia kernell fix required dev testing on all supported hardware, which was several days work.

QA also had to do some more testing, so kernel upgrades where not something done lightly. A CVE and sufficient CVSS was required to overcome the resistance to changing anything.

I might have declared anything which broke on current arable versions to be bugware which te to be fixed, but was not in a position to do that.