[VIM] Oracle intentionally requesting duplicate CVEs?

Steven M. Christey coley at linus.mitre.org
Sat Jan 16 02:17:14 UTC 2010


This was an accident by Oracle, which I've already clarified with them. 
The intention was to use the JRE CVE that had the highest CVSS score.

Duplicate assignments happen sometimes.  Generally, I can handle them with 
a "** REJECT **" statement that discourages CVE consumers and vendors from 
using them.  In this case, interestingly enough, because CVE-2010-0079 
effectively doubles as a patch ID, removing or "rejecting" it would limit 
the utility of the CVE for Oracle's customers.  So I think we kinda have 
to live with the dupe.

- Steve


  On Sat, 16 Jan 2010, security curmudgeon wrote:

> http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html



> Drop down to the BEA Product Suite matrix, first entry is for CVE-2010-0079 
> covering the JRocket component with 'See Note 1':
>
> Notes:
> Sun MicroSystems released a Security Alert in November 2009 to address 
> multiple vulnerabilities affecting the Sun Java Runtime Environment. Oracle 
> CVE-2010-0079 refers to the advisories that were applicable to JRockit from 
> the Sun Alert. The CVSS score of this vulnerability CVE# reflects the highest 
> among those fixed in JRockit. The score is calculated by National 
> Vulnerability Database (NVD), not Oracle. The complete list of all advisories 
> addressed in JRockit under CVE-2010-0079 is as follows: CVE-2009-3867, 
> CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, 
> CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877.
>
> --
>
> This wording seems pretty clear that Oracle takes 2010-0079 to be a 'summary' 
> CVE that covers ten previously assigned CVE candidates.
>
> This seems to go against the publicly defined CVE assigning process.
>


More information about the VIM mailing list