[VIM] question about IRM advisory (fwd)
security curmudgeon
jericho at attrition.org
Thu May 8 06:23:04 UTC 2008
And no reply since...
---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: research at irmplc.com
Date: Wed, 30 Apr 2008 02:46:16 +0000 (UTC)
Subject: question about IRM advisory
In regards to:
http://www.irmplc.com/content/pdfs/WebSphere_MQ_Threats_Management_Summary.pdf
First, it is extremely annoying that you make such "advisories" in a PDF format
that does not allow cut-and-paste.
Second, under "Unauthorized Queue Access", it is unclear if this is describing
a vulnerability in the software, a client misconfiguration or a
misconfiguration that ships by default.
Third, you say that it is vulnerable to traffic sniffing, but then go on to say
that it is vulnerable to "unauthorized decryption". Can you clarify if there is
encryption available for traffic, but it is weak? Or is this in reference to
encryption used on data not in transit?
In short, OSVDB is trying to determine how many real vulnerabilities are
covered in this advisory in order to create tracking numbers in our database.
In addition, it would be appreciated if IRM could request CVE
(http://cve.mitre.org/) candidate numbers for the vulnerabilities found, so
that there is an external standardized tracking number to help avoid this type
of confusion.
Thank you,
Brian
OSVDB.org
More information about the VIM
mailing list