p.s. The fact CVE-2021-44832 was scored as CVSS v3 Base 6.6 = Medium means
probably most companies will not urgently take this patch. I've seen
policies in practice (at companies) that consider 7.0 and up ("HIGH") as
patch-in-7-days, and 9.0 and up ("CRITICAL") as patch-in-3-days, and things
like this. So the fact you scored it as 6.6 Medium was great for helping
consumers understand the fact this one was not as urgent as some of the
others.
I really wouldn't worry whether the CVE was worthy or not - it's better to
issue a CVE that wasn't needed compared to the inverse!
On Thu, Dec 30, 2021 at 9:01 AM Julius Davies <juliusdav...@gmail.com>
wrote:
> Hello,
>
> Long time lurker here.
>
> There are probably tens of thousands of CVEs in the NVD that are
> theoretically exploitable, but in practice will never be exploited. I
> wouldn't take things people say on twitter too seriously when it comes to
> determining CVE-worthiness.
>
> I mainly think of the CVE system as a way to boost and amplify
> communication around patch releases, and to help convey to the public the
> importance of taking a given update.
>
> If the log4j team agreed that it's not safe for consumers of Log4J to
> remain on 2.17.0, then the CVE was appropriate, no matter what anyone else
> thinks.
>
>
> yours,
>
> Julius
>
>
>
> On Thu, Dec 30, 2021 at 8:46 AM Ralph Goers <ralph.go...@dslextreme.com>
> wrote:
>
>> I have no objection to this but it obviously has to be done on the
>> private list.
>>
>> I happen to disagree with your assessment of 44832. As far as I am
>> concerned any
>> uncontrolled use of JNDI requires a CVE. People don’t seem to understand
>> just how
>> bad it is. Any design that lets you download code from a random web
>> server that then
>> runs in your JVM is a disaster, and that is exactly the way JNDI/LDAP
>> works.
>>
>> Ralph
>>
>> > On Dec 30, 2021, at 2:02 AM, Volkan Yazıcı <vol...@yazi.ci> wrote:
>> >
>> > Hello,
>> >
>> > The recent CVE-2021-44832 has been subject to quite some debate whether
>> it
>> > was CVE-worthy or not. I think that one had far fetched assumptions and
>> > could very well be addressed in a patch release, just like we did, but
>> > without a CVE associated with it. The created CVE caused yet another
>> wave
>> > of FUD surrounding the project. I can imagine millions of deployments
>> all
>> > around the world were marked as flagged by monitoring tools and people
>> > rushed to upgrade in panic, most likely, for no reason. I put aside the
>> > damage CVEs cause on the reputation of the project.
>> >
>> > I am told by secur...@apache.org that what is CVE-worthy is up to the
>> PMC. *I
>> > propose creating a VOTE thread for the CVE creation from now on.* I
>> would
>> > appreciate it if others can share their thoughts on this. If the overall
>> > reception is positive, I will send a VOTE email to make this official.
>> >
>> > Kind regards.
>>
>>
