Saturday, September 21, 2024

Review - Reader Comment – Advisory Mistakes

Yesterday, an anonymous reader left a comment about my Thursday blog post on CISA advisories published that day. The reader notes:

“About the Rockwell advisory: on that vendor's publication for that vulnerability there is a reference to a JSON to help you automate the vulnerability handling, but the JSON refers to another vulnerability. Looks like the webpage is copy/pasted.”

If you look at the bottom of the Rockwell Advisory you will find the following:

ADDITIONAL RESOURCES

 

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

·      ·       JSON CVE-2024-7847

To be clear that CVE is for the vulnerability discussed in the advisory. On the advisory, that last line ‘JSON CVD-2024-7847’ has an active link to https://cveawg.mitre.org/api/cve/CVE-2024-45825. Obviously, that is the wrong CVE number. Interestingly Rockwell is using the Mitre JSON document instead of developing their own tool to produce JSON pages.

Now, as to how this happened, the cut and paste suggestion by the anonymous reader who noted the problem could easily be right. As I well know, there are numerous ways that errors in links can creep into documents. That is where good editors provide an invaluable service to writers. Unfortunately, blog writers do not usually have editors, and I suspect that the corporate writers of advisories are similarly lacking that type of support. We have to rely on readers like my anonymous friend here to catch the mistakes that we miss.

 

For more information about the machine readable alternatives, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/reader-comment-advisory-mistakes - subscription required. 

No comments:

 
/* Use this with templates/template-twocol.html */