[VIM] ZDI-13-132 and a CVE?
security curmudgeon
jericho at attrition.org
Sun Aug 18 00:47:29 CDT 2013
: > On Fri, Aug 16, 2013 at 09:37:13AM -0500, ZDI Disclosures wrote:
: > This was released as a "security in depth" bulletin. As such it does
: > not have a CVE assigned.
: >
: > This is also true of ZDI--13-193 for Microsoft (although they call
: > it "defense in depth").
On Sat, 17 Aug 2013, Henri Salo wrote:
: The specific flaw exists within the java.security.KeyStore class. The issue lies
: in the execution of a user-supplied callback in a privileged context. An
: attacker can leverage this vulnerability to execute code under the context of
: the current process.
: This definitely sounds like it needs a CVE or multiple CVEs. In my
: opinion security in depth does not mean it's not a fix for a
: vulnerability. Other opinions/comments?
Agreed.
ZDI has a solid history of releasing quality material, and no wildly
inaccurate vuln reports. If ZDI releases an advisory that implies code
execution, and Oracle dismisses it with "defense in depth", then I fully
believe Oracle either doesn't understand the issue, or is intentionally
downplaying it. Oracle has an occasional history of not handling
researcher disclosures the best, and has a solid history of not
understanding vulnerability impacts, as evidence by their frequently
inaccurate CVSS scoring.
ZDI, please consider pressing Oracle on this matter. Even if you don't, I
believe that this, and any other issue like this (as I think there were
others where a CVE wasn't issued) deserve a CVE ID.
More information about the VIM
mailing list