Re: svn commit: r1818724 - /subversion/site/staging/faq.html

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1818724 - /subversion/site/staging/faq.html

Stefan
On 19/12/2017 23:35, [hidden email] wrote:

> Author: luke1410
> Date: Tue Dec 19 22:35:53 2017
> New Revision: 1818724
>
> URL: http://svn.apache.org/viewvc?rev=1818724&view=rev
> Log:
> * site/staging/faq.html: Update the CVSS section to CVSSv3 including updating
>   the links to the reference documentation.  Add cvssv2 div to not break
>   existing external links.
>
> Modified:
>     subversion/site/staging/faq.html
>
> Modified: subversion/site/staging/faq.html
> URL: http://svn.apache.org/viewvc/subversion/site/staging/faq.html?rev=1818724&r1=1818723&r2=1818724&view=diff
> ==============================================================================
> --- subversion/site/staging/faq.html (original)
> +++ subversion/site/staging/faq.html Tue Dec 19 22:35:53 2017
> @@ -279,7 +279,7 @@ validating server certificate</tt> error
>  <li><a href="#baton">What's a 'baton'?</a></li>
>  <li><a href="#def-wedged-repository">What do you mean when you say that
>      repository is 'wedged'?</a></li>
> -<li><a href="#cvssv2">What is CVSSv2 and what do the score and vector
> +<li><a href="#cvssv3">What is CVSSv3 and what do the score and vector
>      mean?</a></li>
>  </ul>
>  
> @@ -4355,20 +4355,21 @@ real data loss in the repository.</p>
>  
>  </div>
>  
> -<div class="h3" id="cvssv2">
> -<h3>What is CVSSv2 and what do the score and vector mean?
> +<div id="cvssv2"></div>
> +<div class="h3" id="cvssv3">
> +<h3>What is CVSSv3 and what do the score and vector mean?
>    <a class="sectionlink" href="#cvssv2"
>      title="Link to this section">&para;</a>
>  </h3>
>  
>  
> -<p>Subversion has begun using CVSSv2 in our
> -<a href="/security/#advisories">security advisories
> -</a>so you will now see a CVSSv2 Base Score and Vector in the Severity section
> -of our advisories.  CVSSv2 is the current version of the Common Vulnerability
> -Scoring System which is an open industry standard for assessing the severity
> -of computer system security vulnerabilities.  <a href="https://www.first.org/"
> ->FIRST</a> maintains the <a href="https://www.first.org/cvss/v2/guide"
> +<p>Subversion is using CVSSv3 in our
> +<a href="/security/#advisories">security advisories</a>
> +so you will see a CVSSv3 Base Score and Vector in the Severity section of our
> +advisories.  CVSSv3 is the current version of the Common Vulnerability Scoring
> +System which is an open industry standard for assessing the severity of
> +computer system security vulnerabilities.  <a href="https://www.first.org/"
> +>FIRST</a> maintains the <a href="https://www.first.org/cvss/user-guide"
>  >documentation</a> for the standard.
>  </p>
>  
> @@ -4377,15 +4378,16 @@ scoring lower and more risky vunerabilit
>  calculated by determining the metrics of the vunerability and then calculating
>  the score based on those metrics.  If you want to understand how a score was
>  determined you would need the vector and an understanding of the
> -<a href="http://www.first.org/cvss/cvss-guide.html#i3.2">formula as specified
> -by the standard</a>.
> +<a href="https://www.first.org/cvss/specification-document#8-CVSS-v3-0-Equations
> +>formula as specified by the standard</a>.
>  </p>
>  
> -<p>The vector is an <a href="http://www.first.org/cvss/cvss-guide.html#i2.4"
> +<p>The vector is an
> +<a href="https://www.first.org/cvss/specification-document#6-Vector-String"
>  >abbreviated description</a> of the metrics that apply to the vulnerability.
>  </p>
>  
> -<p>CVSSv2 provides for 3 types of metrics and scores; base, temporal and
> +<p>CVSSv3 provides for 3 types of metrics and scores; base, temporal and
>  environmental.  The Subversion project will only ever provide the base
>  score and metrics.  As a project we cannot determine the environmental
>  risks of the various installations so it is not possible for us to
> @@ -4395,7 +4397,7 @@ so it's not possible for us to track the
>  </p>
>  
>  <p>Some vulnerabilities require specific configurations or environmental
> -factors in order to be exploited.  CVSSv2 specifies that the Access Complexity
> +factors in order to be exploited.  CVSSv3 specifies that the Access Complexity
>  metric consider how common such a configuration is.  As a result, a
>  vulnerability that requires an unusual configuration will have a low score.
>  The scores can help you prioritize how quickly you need to react to an advisory
> @@ -4406,33 +4408,32 @@ the vulnerability impacts your installat
>  <p>When calculating the Availability Impact metric of server vulnerabilities
>  the Subversion project will use the value of Complete within the context of
>  Subversion and not the host system.  For example when considering a Denial of
> -Service attack the Availability Impact metric will be calculated as Complete if
> -the vulnerability allows an attacker to make the Subversion server completely
> +Service attack the Availability Impact metric will be calculated as High if the
> +vulnerability allows an attacker to make the Subversion server completely
>  inaccessible.  On the other hand if the attack only made the Subversion server
> -slow or limited the number of successful connections it would be rated as
> -Partial.
> +slow or limited the number of successful connections it would be rated as Low.
>  </p>
>  
>  <p>When calculating the Integrity Impact metric of server vulnerabilities the
> -Subversion project will use the value of Complete when history of the
> -Subversion repositories may be changed or when the ability to modify any file
> -on the host system occurs.  The ability to change any file (while leaving the
> -appropriate history trail) in violation of any authentication or authorization
> -requirements will be treated as Partial.
> +Subversion project will use the value of High when history of the Subversion
> +repositories may be changed or when the ability to modify any file on the host
> +system occurs.  The ability to change any file (while leaving the appropriate
> +history trail) in violation of any authentication or authorization requirements
> +will be treated as Low.
>  </p>
>  
>  <p>When calculating the Confidentiality Impact metric of server vulnerabilities
> -the Subversion project will use the value of Complete when all files in the
> +the Subversion project will use the value of High when all files in the
>  repository may be read regardless of any authentiation or authorizaiton
> -requirements.  If only some files may be read it will be considered Partial.
> +requirements.  If only some files may be read it will be considered Low.
>  </p>
>  
>  <p>As a result of how we calculate these impact metrics you may see advisories
>  in vulnerability databases or vendor advisories that have a different score.
>  For instance an Linux distribution that provides a binary package of Subversion
>  may score the full exposure of the contents of the Subversion repository
> -hosted on the system as only a Partial Confidentiality Impact, resulting in
> -a lower score.
> +hosted on the system as only a Low Confidentiality Impact, resulting in a lower
> +score.
>  </p>
>  
>  </div>
>
Originally I only intended to unbreak the links in the CVSSv2 section
but then decided to update the documentation to CVSSv3 which we are
using meanwhile.

Since I never calculated the CVSS score for a Subversion vulnerability
before, maybe someone familiar with the details could verify the
information I changed are accurate?

In principle I only replaced what was called "Complete" in CVSSv2 to
"High" for CVSSv3 and "Partial" got changed to "Low". As far as the
specification goes, this should be how we handle it for CVSSv3, right?

Regards,
Stefan

Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1818724 - /subversion/site/staging/faq.html

Daniel Shahaf-2
Stefan wrote on Tue, 19 Dec 2017 23:39 +0100:
> On 19/12/2017 23:35, [hidden email] wrote:
> Originally I only intended to unbreak the links in the CVSSv2 section
> but then decided to update the documentation to CVSSv3 which we are
> using meanwhile.

Ah, thanks!

> Since I never calculated the CVSS score for a Subversion vulnerability
> before,

If you're interested, you could go through the more recent advisories
(the security/ directories in the site and in the private repository),
read the patches that fixed them, compute a CVSSv2 or CVSSv3 vector
based on that (only, without reading the in-advisory analysis), and then
compare the one you computed with the one in the advisory.

This way, when the next vulnerability is reported, you'd be better able
to help compute / review a CVSS vector for it.

> maybe someone familiar with the details could verify the
> information I changed are accurate?
>
> In principle I only replaced what was called "Complete" in CVSSv2 to
> "High" for CVSSv3 and "Partial" got changed to "Low". As far as the
> specification goes, this should be how we handle it for CVSSv3, right?

Well, that depends on what the differences between CVSSv2 and CVSSv3
are.  I don't remember off the top of my head whether the semantics of
"Complete" (resp. "Partial") and "High" (resp. "Low") are equivalent.

Cheers,

Daniel
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1818724 - /subversion/site/staging/faq.html

Stefan
On 20/12/2017 01:08, Daniel Shahaf wrote:

> Stefan wrote on Tue, 19 Dec 2017 23:39 +0100:
> [...]
>> Since I never calculated the CVSS score for a Subversion vulnerability
>> before,
> If you're interested, you could go through the more recent advisories
> (the security/ directories in the site and in the private repository),
> read the patches that fixed them, compute a CVSSv2 or CVSSv3 vector
> based on that (only, without reading the in-advisory analysis), and then
> compare the one you computed with the one in the advisory.
>
> This way, when the next vulnerability is reported, you'd be better able
> to help compute / review a CVSS vector for it.
Good hint. I'll eventually get more familiar with it.
For the time being I however will focus on cleaning up the remaining
dead links throughout our webpage, put together the hackathon page, and
then get on signing/testing the 1.10 RC1 builds as well as releasing new
MaxSVN builds (at least that's my current priority list).

Regards,
Stefan