Got some interesting feedback from an anonymous reader on Tuesday’s advisory post. Its about the conversion of affected version data from the Rockwell advisory into the CISA Advisory. Please read the comment. To better illustrate the reader’s comment, the table below is abstracted from the Rockwell advisory.
From a straightforward reading of the language used in the table the affected versions are ≥ v34.011 and <v34.014. And it looks like that is the way that CISA translated their data: “Versions v34.011 and later” and “Update to v34.014 and later”. The problem is that the more common way of defining affected versions is “≤ vXX.XXX”. This is because the assumption is made that when a vulnerability is found that it must have existed in versions preceding the one tested. It looks like Rockwell is taking a more forward looking attitude; ‘we know it exists at this point, and forward until we fixed it’. Owners can make the assumption about earlier versions, but since Rockwell (or the researcher) did not go back and test earlier versions, no claims about earlier versions are being offered in the Rockwell method of announcing affected versions.
Now, having said that, the Rockwell data is not always consistent with what I just said. I think this is an editorial consistency issue rather than a consistency of intent. The table below shows the last ten single CVE advisories, and the data provided in the affected version table in each advisory.
The data for CVE-2024-6078 reflects the more common method
of listing vulnerability status. But that is the only data point that does not
completely support my interpretation of the Rockwell data. Of course, the fact
that we have having this discussion is a sure sign that there is not really a
standardized reporting process for cybersecurity vulnerabilities.
No comments:
Post a Comment