[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r1818724 - /subversion/site/staging/faq.html

From: Stefan <luke1410_at_posteo.de>
Date: Tue, 19 Dec 2017 23:39:23 +0100

On 19/12/2017 23:35, luke1410_at_apache.org wrote:
> Author: luke1410
> Date: Tue Dec 19 22:35:53 2017
> New Revision: 1818724
>
> URL: http://svn.apache.org/viewvc?rev=1818724&view=rev
> Log:
> * site/staging/faq.html: Update the CVSS section to CVSSv3 including updating
> the links to the reference documentation. Add cvssv2 div to not break
> existing external links.
>
> Modified:
> subversion/site/staging/faq.html
>
> Modified: subversion/site/staging/faq.html
> URL: http://svn.apache.org/viewvc/subversion/site/staging/faq.html?rev=1818724&r1=1818723&r2=1818724&view=diff
> ==============================================================================
> --- subversion/site/staging/faq.html (original)
> +++ subversion/site/staging/faq.html Tue Dec 19 22:35:53 2017
> @@ -279,7 +279,7 @@ validating server certificate</tt> error
> <li>What's a 'baton'?</li>
> <li><a href="#def-wedged-repository">What do you mean when you say that
> repository is 'wedged'?</a></li>
> -<li><a href="#cvssv2">What is CVSSv2 and what do the score and vector
> +<li><a href="#cvssv3">What is CVSSv3 and what do the score and vector
> mean?</a></li>
> </ul>
>
> @@ -4355,20 +4355,21 @@ real data loss in the repository.</p>
>
> </div>
>
> -<div class="h3" id="cvssv2">
> -<h3>What is CVSSv2 and what do the score and vector mean?
> +<div id="cvssv2"></div>
> +<div class="h3" id="cvssv3">
> +<h3>What is CVSSv3 and what do the score and vector mean?
> <a class="sectionlink" href="#cvssv2"
> title="Link to this section">&para;</a>
> </h3>
>
>
> -<p>Subversion has begun using CVSSv2 in our
> -<a href="/security/#advisories">security advisories
> -</a>so you will now see a CVSSv2 Base Score and Vector in the Severity section
> -of our advisories. CVSSv2 is the current version of the Common Vulnerability
> -Scoring System which is an open industry standard for assessing the severity
> -of computer system security vulnerabilities. <a href="https://www.first.org/"
> ->FIRST</a> maintains the <a href="https://www.first.org/cvss/v2/guide"
> +<p>Subversion is using CVSSv3 in our
> +security advisories
> +so you will see a CVSSv3 Base Score and Vector in the Severity section of our
> +advisories. CVSSv3 is the current version of the Common Vulnerability Scoring
> +System which is an open industry standard for assessing the severity of
> +computer system security vulnerabilities. <a href="https://www.first.org/"
> +>FIRST</a> maintains the <a href="https://www.first.org/cvss/user-guide"
> >documentation</a> for the standard.
> </p>
>
> @@ -4377,15 +4378,16 @@ scoring lower and more risky vunerabilit
> calculated by determining the metrics of the vunerability and then calculating
> the score based on those metrics. If you want to understand how a score was
> determined you would need the vector and an understanding of the
> -<a href="http://www.first.org/cvss/cvss-guide.html#i3.2">formula as specified
> -by the standard</a>.
> +<a href="https://www.first.org/cvss/specification-document#8-CVSS-v3-0-Equations
> +>formula as specified by the standard</a>.
> </p>
>
> -<p>The vector is an <a href="http://www.first.org/cvss/cvss-guide.html#i2.4"
> +<p>The vector is an
> +<a href="https://www.first.org/cvss/specification-document#6-Vector-String"
> >abbreviated description</a> of the metrics that apply to the vulnerability.
> </p>
>
> -<p>CVSSv2 provides for 3 types of metrics and scores; base, temporal and
> +<p>CVSSv3 provides for 3 types of metrics and scores; base, temporal and
> environmental. The Subversion project will only ever provide the base
> score and metrics. As a project we cannot determine the environmental
> risks of the various installations so it is not possible for us to
> @@ -4395,7 +4397,7 @@ so it's not possible for us to track the
> </p>
>
> <p>Some vulnerabilities require specific configurations or environmental
> -factors in order to be exploited. CVSSv2 specifies that the Access Complexity
> +factors in order to be exploited. CVSSv3 specifies that the Access Complexity
> metric consider how common such a configuration is. As a result, a
> vulnerability that requires an unusual configuration will have a low score.
> The scores can help you prioritize how quickly you need to react to an advisory
> @@ -4406,33 +4408,32 @@ the vulnerability impacts your installat
> <p>When calculating the Availability Impact metric of server vulnerabilities
> the Subversion project will use the value of Complete within the context of
> Subversion and not the host system. For example when considering a Denial of
> -Service attack the Availability Impact metric will be calculated as Complete if
> -the vulnerability allows an attacker to make the Subversion server completely
> +Service attack the Availability Impact metric will be calculated as High if the
> +vulnerability allows an attacker to make the Subversion server completely
> inaccessible. On the other hand if the attack only made the Subversion server
> -slow or limited the number of successful connections it would be rated as
> -Partial.
> +slow or limited the number of successful connections it would be rated as Low.
> </p>
>
> <p>When calculating the Integrity Impact metric of server vulnerabilities the
> -Subversion project will use the value of Complete when history of the
> -Subversion repositories may be changed or when the ability to modify any file
> -on the host system occurs. The ability to change any file (while leaving the
> -appropriate history trail) in violation of any authentication or authorization
> -requirements will be treated as Partial.
> +Subversion project will use the value of High when history of the Subversion
> +repositories may be changed or when the ability to modify any file on the host
> +system occurs. The ability to change any file (while leaving the appropriate
> +history trail) in violation of any authentication or authorization requirements
> +will be treated as Low.
> </p>
>
> <p>When calculating the Confidentiality Impact metric of server vulnerabilities
> -the Subversion project will use the value of Complete when all files in the
> +the Subversion project will use the value of High when all files in the
> repository may be read regardless of any authentiation or authorizaiton
> -requirements. If only some files may be read it will be considered Partial.
> +requirements. If only some files may be read it will be considered Low.
> </p>
>
> <p>As a result of how we calculate these impact metrics you may see advisories
> in vulnerability databases or vendor advisories that have a different score.
> For instance an Linux distribution that provides a binary package of Subversion
> may score the full exposure of the contents of the Subversion repository
> -hosted on the system as only a Partial Confidentiality Impact, resulting in
> -a lower score.
> +hosted on the system as only a Low Confidentiality Impact, resulting in a lower
> +score.
> </p>
>
> </div>
>
Originally I only intended to unbreak the links in the CVSSv2 section
but then decided to update the documentation to CVSSv3 which we are
using meanwhile.

Since I never calculated the CVSS score for a Subversion vulnerability
before, maybe someone familiar with the details could verify the
information I changed are accurate?

In principle I only replaced what was called "Complete" in CVSSv2 to
"High" for CVSSv3 and "Partial" got changed to "Low". As far as the
specification goes, this should be how we handle it for CVSSv3, right?

Regards,
Stefan
Received on 2017-12-19 23:39:38 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.