Nessus is labeling the severity as medium

Ethan Rahn ethan.rahn at gmail.com
Wed Apr 5 03:02:23 UTC 2023


Every PM should have an exception process where you can give them a
statement about why it is not a problem for your application. I expect they
are trying to get out of filing paperwork.

Don't let policy get in the way of reality. Back in the days of blockchain
being hip there was a thought experiment: You work for a company that uses
the blockchain to manage all it's shipments. The blockchain cannot be
tampered with so it is accurate. If one day you receive a box the
blockchain labeled as "bananas" and it is filled with batteries, what do
you do? Do you eat the batteries for potassium?

On Tue, Apr 4, 2023 at 5:24 PM Michael Mueller <abaci.mjm at gmail.com> wrote:

> CVE-2023-0464 has a base score of 7.5 and base severity of HIGH in the NVD
> (attached).
>
> That score and the description of the problem are misaligned in my opinion
> (meaning, I agree with the LOW severity - our app is not affected).
>
> But there are project managers in our organization that use NVD as the
> reference, and seeing the HIGH, are requiring a 30 day remediation deadline.
>
> Us devs are caught in the middle.
>
> Best regards and thanks for all you do,
> Mike Mueller
>
>
> On Tue, Apr 4, 2023 at 7:06 PM Dr Paul Dale <pauli at openssl.org> wrote:
>
>> I was discussing CVE-2023-0466 which seemed to be the relevant one.
>> Looking again, the table you included isn't overly clear (to me at least)
>> what it's referring to.
>>
>> Dr Paul Dale
>>
>> On 5/4/23 09:02, Dr Paul Dale wrote:
>>
>> We do not have a firm release date for 1.1.1u at this point.  As per our
>> policy, LOW severity CVE are not release triggering and this one is
>> considered LOW severity by the project.  Baring other eventualities, three
>> months is a likely time frame.
>>
>> I'll note that the issue here was in the documentation and that the fix
>> is purely a documentation change.  This change is already available online
>> on our web site:
>>
>>
>> https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html
>>
>>
>> Dr Paul Dale
>>
>> On 4/4/23 23:16, Joslin, Jack via openssl-users wrote:
>>
>> Hello,
>>
>> When will OpenSSL 1.1.1u be released?
>>
>> Tenable indicates the vulnerability severity of 1.1.1t as medium. I found
>> this post indicating that there is no ETA on the release of OpenSSL 1.1.1u
>> and that it may not be released for 3 months.
>>
>> OpenSSL Security Advisory
>> <https://mta.openssl.org/pipermail/openssl-users/2023-March/016106.html>
>>
>> From Nessus/Tenable scan:
>>
>> Plugin Plugin Name Severity Plugin Output Solution Risk Factor CVE
>> 173260 OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities Medium Plugin
>> Output:
>>   Banner           : Apache/2.4.56 (Unix) OpenSSL/1.1.1t mod_perl/2.0.9
>> Perl/v5.8.8
>>   Reported version : 1.1.1t
>>   Fixed version    : 1.1.1u Upgrade to OpenSSL version 1.1.1u or later.
>> Medium CVE-2023-0464, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
>> Regards,
>>
>> Jack Joslin
>>
>> Business Services Outsourcing Center (BSOC)
>>
>> General Dynamics, Information Technology
>>
>> 327 Columbia Turnpike, Rensselaer, NY 12144
>>
>> jack.joslin at gdit.com
>>
>> m: +1.321.431.5117
>>
>> Follow us on Facebook <http://www.facebook.com/OfficialCSRA> | Twitter
>> <http://www.twitter.com/csra_inc> | LinkedIn
>> <http://www.linkedin.com/company/csra_inc>
>>
>> This electronic message transmission contains information from GDIT which
>> may be attorney-client privileged, proprietary or confidential.  The
>> information in this message is intended only for use by the individual(s)
>> to whom it is addressed.  If you believe you have received this message in
>> error, please contact me immediately and be aware that any use, disclosure,
>> copying or distribution of the contents of this message is strictly
>> prohibited. NOTE: Regardless of content, this e-mail shall not operate to
>> bind GDIT to any order or other contract unless pursuant to explicit
>> written agreement or government initiative expressly permitting the use of
>> e-mail for such purpose
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230404/dec043b9/attachment.htm>


More information about the openssl-users mailing list