oss-sec mailing list archives
CVE-2022-21449 and version reporting
From: "Seaman, Chad" <cseaman () akamai com>
Date: Thu, 28 Apr 2022 14:12:04 +0000
Hi All, Have a question for MITRE, Oracle, and folks here… https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/ “Update 2: Oracle have informed me they are in the process of correcting the advisory to state that only versions 15-18 are impacted. The CVE has already been updated.<https://nvd.nist.gov/vuln/detail/CVE-2022-21449> Note that 15 and 16 are no longer supported, so it will only list 17 and 18 as impacted.” Checking the official CVE listing… https://nvd.nist.gov/vuln/detail/CVE-2022-21449 It appears this is true, the reported versions in the official CVE listing, only show 17 and 18, where 15 is also impacted. In what universe exactly are versions omitted from vulnerability reporting because a vendor “no longer supports that version”… this non-supported version is still vulnerable? Are exploit developers expected to check against the version of the vulnerable application during their exploit detonation to ensure they’re “only infecting supported versions?”. Why is this being allowed… this is dangerous for everyone involved save for Oracle’s own ego or public image? Scratching my head, Chad
Current thread:
- CVE-2022-21449 and version reporting Seaman, Chad (Apr 28)
- Re: CVE-2022-21449 and version reporting Brian Behlendorf (Apr 28)
- Re: CVE-2022-21449 and version reporting Jeremy Stanley (Apr 28)
- Re: CVE-2022-21449 and version reporting Seth Arnold (Apr 28)
- Re: CVE-2022-21449 and version reporting Sven Schwedas (Apr 28)
- Re: CVE-2022-21449 and version reporting Seaman, Chad (Apr 28)
- Re: CVE-2022-21449 and version reporting Christian Fischer (Apr 30)
- Re: CVE-2022-21449 and version reporting John Helmert III (Apr 30)
- Re: CVE-2022-21449 and version reporting David A. Wheeler (Apr 30)
- Re: CVE-2022-21449 and version reporting Christian Fischer (Apr 30)
- Re: CVE-2022-21449 and version reporting John Helmert III (May 01)
- Re: CVE-2022-21449 and version reporting Sven Schwedas (Apr 28)