tschmidtb51
commented
3 days ago @rjb4standards Thank you for reaching out. The TC is going to discuss this in the next TC meeting.
Flagging @santosomar for attention
Open rjb4standards opened 1 week ago
tschmidtb51
commented
3 days ago @rjb4standards Thank you for reaching out. The TC is going to discuss this in the next TC meeting.
Flagging @santosomar for attention
rjb4standards
commented
3 days ago Thank you Thomas, Please consider showing some VEX artifacts for products affected by Log4J as a real world example. This is a CVE we frequently use for testing and demonstration purposes. Thank you for your consideration.
santosomar
commented
1 day ago We (Cisco) didn't have VEX when Log4Shell (the famous log4j vulnerability was disclosed). However, we now have VEX via a tool called CVR and also traditional security advisories in CSAF:
This is a real example of a VEX document for a Cisco product:
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"publisher": {
"category": "vendor",
"name": "Cisco Systems, Inc.",
"namespace": "https://www.cisco.com"
},
"title": "CVR data for version 20.15.1 of software Cisco Catalyst SD-WAN on platform Cisco Catalyst SD-WAN for CVE CVE-2024-1234",
"notes": [
{
"category": "legal_disclaimer",
"text": "This Vulnerability Exploitability eXchange (VEX) document and all information contained therein (collectively, the VEX Document) is Cisco Confidential and provided as-is. While Cisco uses commercially reasonable efforts to assemble accurate information, the VEX Document is provided without any representation or warranty of any kind, whether express or implied. Cisco, its licensors, successors, and assigns hereby disclaim any and all responsibility for your use of the VEX Document."
}
],
"tracking": {
"current_release_date": "2024-11-27T02:12:43Z",
"id": "cisco-vex-57.242.20.15.1:CVE-2024-1234",
"initial_release_date": "2024-11-27T02:12:43Z",
"revision_history": [
{
"date": "2024-11-27T02:12:43Z",
"number": "1",
"summary": "Initial"
}
],
"status": "draft",
"version": "1",
"generator": {
"date": "2024-11-27T02:12:43Z",
"engine": {
"name": "Cisco Vulnerability Repository (CVR)",
"version": "0.4.0"
}
}
}
},
"product_tree": {
"branches": [
{
"category": "vendor",
"name": "Cisco Systems, Inc.",
"branches": [
{
"category": "product_family",
"name": "Cisco Catalyst SD-WAN",
"branches": [
{
"category": "product_version",
"name": "20.15.1",
"product": {
"name": "Cisco Systems, Inc. Cisco Catalyst SD-WAN 20.15.1",
"product_id": "Cisco_Catalyst_SD-WAN:20.15.1"
}
}
]
},
{
"category": "product_name",
"name": "Cisco Catalyst SD-WAN",
"product": {
"name": "Cisco Systems, Inc. Cisco Catalyst SD-WAN",
"product_id": "Cisco_Catalyst_SD-WAN"
}
}
]
}
],
"relationships": [
{
"product_reference": "Cisco_Catalyst_SD-WAN:20.15.1",
"category": "installed_on",
"relates_to_product_reference": "Cisco_Catalyst_SD-WAN",
"full_product_name": {
"product_id": "Cisco_Catalyst_SD-WAN:20.15.1:Cisco_Catalyst_SD-WAN",
"name": "Cisco Systems, Inc. Cisco Catalyst SD-WAN 20.15.1 installed on Cisco Catalyst SD-WAN"
}
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-1234",
"product_status": {
"known_not_affected": [
"Cisco_Catalyst_SD-WAN:20.15.1:Cisco_Catalyst_SD-WAN"
]
},
"notes": [
{
"category": "description",
"text": "The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"threats": [
{
"category": "impact",
"details": "Component not present",
"product_ids": [
"Cisco_Catalyst_SD-WAN:20.15.1:Cisco_Catalyst_SD-WAN"
]
}
],
"flags": [
{
"label": "component_not_present",
"product_ids": [
"Cisco_Catalyst_SD-WAN:20.15.1:Cisco_Catalyst_SD-WAN"
]
}
]
}
]
}Red Hat has also VEX disclosures available at: https://security.access.redhat.com/data/csaf/v2/vex/
This is the Log4J real VEX doc from RedHat: https://security.access.redhat.com/data/csaf/v2/vex/2021/cve-2021-44228.json
rjb4standards
commented
1 day ago Thanks very much @santosomar The Red Hat VEX for Log4J is exactly what I'm looking for. This information will help the Healthcare Sector Coordinating Council Vulnerability group to see what an actual VEX looks like. Perfect. Thank you.
santosomar
commented
1 day ago Absolutely! 👍 m glad it helped. Cheers 🍻
rjb4standards
commented
1 day ago Thanks Omar @santosomar I'm an advisor to the Healthcare Sector Coordinating Council (HSCC) SRMA Vulnerability committee of the Cybersecurity workgroup and there was a very recent discussion asking what a typical VEX contains, so this information will be passed on to the group, recognizing your contribution providing an actual VEX for Log4J. Very useful. Thank you.
tschmidtb51
commented
1 day ago @rjb4standards There is also one from Secvisogram in the repo: https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/examples/csaf/csaf_vex/sec-vex-2022-0001.json
rjb4standards
commented
1 day ago Thanks, Thomas @tschmidtb51
Also, FYI: NIST has renamed "Vulnerability Disclosure Report" (VDR) to "Vulnerability Advisory Report" (VAR) to be consistent with IEC 29147, effective November 1, 2024 in SP 800-161r1-upd1 and updated online guidance as well: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1
"Ensure that third-party suppliers continuously enrich SBOM data with a VAR."
tschmidtb51
commented
23 hours ago The issue has been discussed in today's TC meeting and a Call to Action has been issued: https://groups.oasis-open.org/discussion/call-to-action-for-832
Please upload actual product VEX documents into the VEX examples repository, https://github.com/oasis-tcs/csaf/tree/master/csaf_2.1/examples/csaf/csaf_vex, for others to test against. The Log4J CVE would be a good example of real product impact, both affected and not affected status. Perhaps a VEX for Apache products that use Log4J would be good candidates for these examples.