<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Solar Designer <solar () openwall com>
Date: Tue, 30 Jan 2024 22:45:00 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Thank you Greg for looking into these issues. It's great that most
longterm kernel trees appear already fixed.
On Tue, Jan 30, 2024 at 08:34:03AM -0800, Greg KH wrote:
Yeah, that looks really high but who knows how CVSS scores really are
calculated :)
Actually, we do - this is transparent. NVD publishes not only the
scores, but also all the inputs, and the formula is public and they have
a calculator on their website:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Vulnerability scoring is genuinely difficult. I think CVSS is a pretty
good attempt at standardizing it, but it cannot capture all the nuance,
especially not in the Base Score.
For CVE-2021-33631 (the ext4 BUG), both the distro vendor's and NVD's
CVSS input vectors specify AV:L/AC:L/PR:L/UI:N, which means the
vulnerability can be triggered by a local system user at will and
without additional privileges. I'd say that deliberately getting the
kernel to work on a corrupted filesystem requires at least one of:
physical access (AV:P) or privileges on the system (PR:H) or user
interaction (UI:R). However, there's no way to encode this in one CVSS
vector. Also, in the physical access case, at least the availability
impact typically does not apply (would be A:N).
Maybe having multiple CVSS vectors per vulnerability (and then taking
the average score?) could be a solution, but it'd require that someone
very familiar with the affected component and its usage actually spend
time thinking of all relevant combinations. Not likely to happen.
Alexander
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Jan 30)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Jan 31)
Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Roxana Bradescu (Feb 02)
Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Feb 02)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Thadeu Lima de Souza Cascardo (Jan 31)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Feb 02)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->