Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE management process for Node.js #33

Closed
mhdawson opened this issue Jul 26, 2017 · 23 comments
Closed

CVE management process for Node.js #33

mhdawson opened this issue Jul 26, 2017 · 23 comments

Comments

@mhdawson
Copy link
Member

mhdawson commented Jul 26, 2017

I had a discussion @dadinolfi from Mitre about the options for managing CVE's for Node.js.

There are 2 options that we have:

  • Act as a CNA
  • Use the web form to request CVE's as a one off.

Some open source projects already acting as a CNA

  • OpenSSL
  • Apache (covers all of apache)
  • Drupal
  • DWF (give CVEs for open source)

There are pros/cons as outlined in the sections which follows.

From my read of he rules and my discussion with @dadinolfi I think the extra work in being a CNA will be relatively small and have the community being able to control the CVE's assigned for Node.js would be good so I'd lean towards the option of Acting as a CNA.

Acting as CNA

When we act as a CNA, we get a block of CVE's at the start of the year and then assign these ourselves. When publicly disclose the vulnerability we use the web form (and other methods like json in the future) to provide info to Mitre which get published in the CVE. This information is relatively minimal

If any other entity wants a CVE for Node.js they will be referred to us and we decide based on the CNA rules if we believe a CVE should be assigned and if appropriate provide one to the requesting entity.

The full rules for acting as a CNA are here: http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf

  • Pros

    • We can quickly assign CVE's
    • We have full control over the CVE's assigned for Node.js
  • Cons

    • Some additional reporting requirements
    • We need to make sure those in the community implementing the process follow the rules
  • misc

    • We need to be responsive to requests for CVE's
    • We need to provide Mitre with at least a couple of primary contacts that will respond to their enquiries
    • We need to plan to request our block of CVE's once a year.

CVE only public once public, don't publish number until public, release when embargo is lifted.

Web form

  • Pros:

    • No pre-planning
    • Minimum work
  • Cons

    • Longer cycle time to get CVE assigned and details published
    • Third parties could request/get assigned CVE's on Node.js that we may not agree with.
@mcollina
Copy link
Member

I think we should act as a CNA, if we have the bandwidth to do so.

@drifkin
Copy link
Contributor

drifkin commented Jul 28, 2017

(edited to fix the link to the PDF)

@mhdawson
Copy link
Member Author

@nodejs/security, @nodejs/security-wg would be good to get input from a good number of people as we'll need a number of people to agree to help with the work required if we chose to act as a CNA.

@grnd
Copy link
Contributor

grnd commented Jul 31, 2017

Acting as a CNA will also help us assigning CVEs to vulnerabilities in npm packages as well

@mhdawson
Copy link
Member Author

Just catching up after beeing out a few weeks.

It was mentioned here: #17 (comment) that HackerOne might be able to act as a CNA for us. Its another option to consider.

@dadinolfi any comments on pros/cons of that ?

@dadinolfi
Copy link

If you are a HackerOne customer, they can assign CVE IDs for vulnerabilities reported through their platform. If a vulnerability is disclosed outside of HackerOne, they may not assign for it, which then leaves you in a similar space as now. Some of HackerOne's customers are already CNAs themselves, and they and HackerOne have worked out who will assign for what and when.

@mhdawson
Copy link
Member Author

mhdawson commented Sep 8, 2017

Talkin with @sam-github who re HackerOne we came to the conclusion we should probably become a CNA even if we end up using HackerOne.

@nodejs/tsc @nodejs/security @nodejs/security-wg Please comment if you have any objections to the project becoming its own CNA for CVEs.

@Fishrock123
Copy link

CNA seems like a reasonably good idea.

@mhdawson
Copy link
Member Author

Discussed in the TSC meeting today. Consensus was that we should try it out unless somebody objects in this issue in the next week (ie by Sep27th)

@mhdawson
Copy link
Member Author

@dadinolfi I requested a CVE yesterday, just wondering if you can check if we'll get it soon ? At the same time we should probably agree on the next steps for us becoming a CNA as well.

@mhdawson
Copy link
Member Author

@dadinolfi I just requested a second one right now as well, wanted to let you know in order to avoid confusion as its the first one that I'd like to get ASAP for https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/

@mhdawson
Copy link
Member Author

@dadinolfi I received the second one but not the first one. If you can take a look at why we've not had a response on the first one that would be great.

@dadinolfi
Copy link

I'm looking into it.

@dadinolfi
Copy link

dadinolfi commented Sep 29, 2017

Our Content folks believe both requests had been replied to. Just in case:

CVE-2017-14849
and
CVE-2017-14919

@sam-github
Copy link
Contributor

@mhdawson looks like there is general approval (and no objection) for us becoming a CNA. What are the next steps? What process needs to be put in place?

@dadinolfi
Copy link

From the MITRE side, we need the following four bits of information to proceed:

  • The scope that the CNA would cover. For example, Microsoft's scope is "All Microsoft products". Yours might be something like "All actively-developed versions of software developed under the Node.js project".

  • Public contact points. What email address or web address should we direct someone to who asks us for a way to contact you about CVE-related issues?

  • Private contact points. We maintain a list of administrative contacts that we can reach out to directly in case there are issues that require immediate attention. This is typically one or more email addresses or a group mail alias.

  • Email addresses to add to the CNA email discussion list. This is a closed mailing list that is used for announcements, sharing documents, or discussion relevant to the CNA community. The list rarely has more than ten messages a week.

Once I have these bits of information, I will ask the CVE Content Team to send you your initial block of CVE IDs. When you have a vulnerability to assign, you would take a CVE from that block, create the entry request (per Appendix B of the CNA Rules or using the JSON format described here: https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema ), and ask me to review it. I'll give you some feedback regarding the content and formatting. Once we are happy with it, you can submit it through the regular method (https://cveform.mitre.org/) or through the new GitHub-based process that I can set you up with.

Please let me know if you have any questions.

@sam-github
Copy link
Contributor

@dadinolfi We definitely want to be a CNA for all projects administered by the Node Foundation, above info is great, thank you.

Can we, as well, be a CNA for thirdparty modules published to npmjs.org? If so, can we do it under the same CNA/block, or do we need a seperate application?

We will soon be accepting reports of vulnerabilities in these modules, it would be convenient to issue CVEs for them, even though the Node Foundation didn't write and publish those modules.

@mhdawson
Copy link
Member Author

@dadinolfi to confirm I have both CVE's thanks.

@mhdawson
Copy link
Member Author

@sam-github we have agreement to act as a CNA for Node core issues, I think we'd need to get further agreement as well as find people who are willing to do the work for third party modules before expanding the scope.

I suggest we start by ramping up to be a CNA just for node-core and then expand once we are comfortable with that.

@dadinolfi
Copy link

If no one else has those modules as part of their CNA scope, there would be no barrier to you assigning CVE IDs to vulnerabilities disclosed in those. By including them explicitly in your scope, though, you'd be taking on the responsibility of being the one to assign CVE IDs for them for all cases, and other CNAs would send people looking for CVE IDs for those modules to you.

mhdawson added a commit to mhdawson/email that referenced this issue Oct 25, 2017
Add email aliases for acting as a CNA asas per:
nodejs/security-wg#33

cve-request  - email address that people should be directed to
               in order to ask questions about CVE-related issues

cve-mitre-contact - private contact points for mitre to reach out
                    directly to in case there are issues that required
                    immediate attention

cna-discussion-list - email address added ot the CNA email discussion list.
                      Used for announcements, sharing documents or discussion
                      relevant to CNA community. Rarely has more than 10
                      messages a week
@mhdawson
Copy link
Member Author

Submitted request for Node.js to become CNA and manage CVE's

First cut at CVE management process #60

@dadinolfi
Copy link

I tried subscribing the email address you gave me to our cve-cna-list mailing list, but our mail server got a recipient rejected message when we tried to send to it. Is the address you gave me functioning?

Thanks.

-Dan

mhdawson added a commit to nodejs/email that referenced this issue Oct 27, 2017
Add email aliases for acting as a CNA asas per:
nodejs/security-wg#33

cve-request  - email address that people should be directed to
               in order to ask questions about CVE-related issues.

cve-mitre-contact - private contact points for mitre to reach out
                    directly to in case there are issues that required
                    immediate attention.

cna-discussion-list - email address added ot the CNA email discussion
                      list.  Used for announcements, sharing documents
                      or discussion relevant to CNA community. Rarely
                      has more than 10 messages a week.

PR-URL: #71
Reviewed-By: Sam Roberts <[email protected]>
mhdawson added a commit to nodejs/email that referenced this issue Oct 27, 2017
Add email aliases for acting as a CNA asas per:
nodejs/security-wg#33

cve-request  - email address that people should be directed to
               in order to ask questions about CVE-related issues.

cve-mitre-contact - private contact points for mitre to reach out
                    directly to in case there are issues that required
                    immediate attention.

cna-discussion-list - email address added ot the CNA email discussion
                      list.  Used for announcements, sharing documents
                      or discussion relevant to CNA community. Rarely
                      has more than 10 messages a week.

PR-URL: #71
Reviewed-By: Sam Roberts <[email protected]>
@mhdawson
Copy link
Member Author

mhdawson commented Nov 2, 2017

Email aliases PR had not yet landed, all in place now.

Process has been documented so we should be good to go. Landing.

@mhdawson mhdawson closed this as completed Nov 2, 2017
Johnhvy added a commit to Johnhvy/NodeJS-Email that referenced this issue Jul 16, 2024
Add email aliases for acting as a CNA asas per:
nodejs/security-wg#33

cve-request  - email address that people should be directed to
               in order to ask questions about CVE-related issues.

cve-mitre-contact - private contact points for mitre to reach out
                    directly to in case there are issues that required
                    immediate attention.

cna-discussion-list - email address added ot the CNA email discussion
                      list.  Used for announcements, sharing documents
                      or discussion relevant to CNA community. Rarely
                      has more than 10 messages a week.

PR-URL: nodejs/email#71
Reviewed-By: Sam Roberts <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants