[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [RESEARCH] Security patch delivery delay

On Mon, 2015-09-14 at 11:06 +0200, Stefan GeiÃler wrote:
Hello xen-users,

I am currently analyzing the delay between vulnerability disclosure (CVE
release) and the release of a corresponding patch.

First, i noticed that some vulnerabilities are patched before the CVE
was assigned. How is that possible? Was the vulnerability "accitendally"
fixed? (Example: According to NVD CVE-2011-2519 was fixed on 2008-02-05)

For this specific example
http://www.openwall.com/lists/oss-security/2011/08/30/1 seems pretty clear
as to the reasons for this.

Second, does someone know why some vulnerabilities get a fix on CVE
release day while some only recieve a fix after weeks or even month?
(Maximum delay I observed is 241 days)

When the Xen Project (pre)discloses a vulnerability we ask Mitre for a CVE
at the same time. There have been instances where there have been long
delays in receiving a reply. There is no point in holding onto a fix (and
leaving users vulnerable) just waiting for a number to be assigned

I suppose there are also instances where the security impact of a fix was
not recognised until later, in which case a CVE might be retroactively

I don't think any of that is especially specific to the Xen Project, I
think the issue is simply that CVE release does not precisely correspond to
vulnerability disclosure for a variety of reasons.

That explains, why some delays are negative. But some vulnerabilities get patched/receive an advisory only some time AFTER the CVE release. In that case, the vulnerability is already public but a patch has not been publicly released yet. Is there a reason that some vulnerabilities get fixed faster than others? (severity, impact type, complexity, ...). And why are vulnerabilities publicly disclosed if no patch is available?

For example CVE-2012-3497 has been assigned on 2012-06-14. The advisory (XSA-15) has been released on 2012-09-05. This results in a delay of 83 days between CVE assignment and advisory release.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.