[VIM] CVE Dupes: 2007-4418 and 2005-2073 and CVE-2007-1089
security curmudgeon
jericho at attrition.org
Wed Apr 30 20:20:14 UTC 2008
Normally I mail these directly to Steve, but I am sharing this as a
cautionary tale for dealing with IBM vulnerabilities. OSVDB had dupes as a
result of this (independant of CVE) mess as well. The root cause is IBM
releasing a changelog with vague details, with different APAR numbers for
the same issue, then later making the APAR details public.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2073
Changelog:
http://www-1.ibm.com/support/docview.wss?uid=swg21209727
APAR:
http://www-1.ibm.com/support/docview.wss?uid=swg1IY73104
This was a vague issue from a changelog, and the APAR was not open at the
time, so we only had a few words to go off of.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-4418
Changelog:
http://www-1.ibm.com/support/docview.wss?uid=swg21255352
APAR:
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940
Same thing, the changelog was there with a vague idea, but the APAR wasn't
open or available.
This CVE (2007-4418) also says it may be a duplicate to CVE 2007-1089.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-1089
No changelog but this APAR:
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25941
Now, look at these APARs:
http://www-1.ibm.com/support/docview.wss?uid=swg1IY73104
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25941
25940 and 25941 are linked to each other (so CVE 2007-4418 and CVE
2007-0189 are dupe), but neither references 73104. However, all three
APARs are the same issue, most of the APAR vulnerability description is
the same.
Long story short, IBM needs to get their act together as they are only
hurting themselves as VDBs create extra entries for the same issue, giving
the impression that their products are more vulnerable than they really
are.
More information about the VIM
mailing list