CVE management process for Node.js

[mhdawson]

I had a discussion @dadinolfi from Mitre about the options for managing CVE's for Node.js.

There are 2 options that we have:

• Act as a CNA
• Use the web form to request CVE's as a one off.

Some open source projects already acting as a CNA

• OpenSSL
• Apache (covers all of apache)
• Drupal
• DWF (give CVEs for open source)

There are pros/cons as outlined in the sections which follows.

From my read of he rules and my discussion with @dadinolfi I think the extra work in being a CNA will be relatively small and have the community being able to control the CVE's assigned for Node.js would be good so I'd lean towards the option of Acting as a CNA.

Acting as CNA

When we act as a CNA, we get a block of CVE's at the start of the year and then assign these ourselves. When publicly disclose the vulnerability we use the web form (and other methods like json in the future) to provide info to Mitre which get published in the CVE. This information is relatively minimal

If any other entity wants a CVE for Node.js they will be referred to us and we decide based on the CNA rules if we believe a CVE should be assigned and if appropriate provide one to the requesting entity.

The full rules for acting as a CNA are here: http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf

• Pros

  • We can quickly assign CVE's
  • We have full control over the CVE's assigned for Node.js

• Cons

  • Some additional reporting requirements
  • We need to make sure those in the community implementing the process follow the rules

• misc

  • We need to be responsive to requests for CVE's
  • We need to provide Mitre with at least a couple of primary contacts that will respond to their enquiries
  • We need to plan to request our block of CVE's once a year.

CVE only public once public, don't publish number until public, release when embargo is lifted.

Web form

• Pros:

  • No pre-planning
  • Minimum work

• Cons

  • Longer cycle time to get CVE assigned and details published
  • Third parties could request/get assigned CVE's on Node.js that we may not agree with.

[mcollina]

I think we should act as a CNA, if we have the bandwidth to do so.

[drifkin]

(edited to fix the link to the PDF)

[mhdawson]

@nodejs/security, @nodejs/security-wg would be good to get input from a good number of people as we'll need a number of people to agree to help with the work required if we chose to act as a CNA.

[grnd]

Acting as a CNA will also help us assigning CVEs to vulnerabilities in npm packages as well

[mhdawson]

Just catching up after beeing out a few weeks.

It was mentioned here: #17 (comment) that HackerOne might be able to act as a CNA for us. Its another option to consider.

@dadinolfi any comments on pros/cons of that ?

[dadinolfi]

If you are a HackerOne customer, they can assign CVE IDs for vulnerabilities reported through their platform. If a vulnerability is disclosed outside of HackerOne, they may not assign for it, which then leaves you in a similar space as now. Some of HackerOne's customers are already CNAs themselves, and they and HackerOne have worked out who will assign for what and when.

[mhdawson]

Talkin with @sam-github who re HackerOne we came to the conclusion we should probably become a CNA even if we end up using HackerOne.

@nodejs/tsc @nodejs/security @nodejs/security-wg Please comment if you have any objections to the project becoming its own CNA for CVEs.

[Fishrock123]

CNA seems like a reasonably good idea.

[mhdawson]

Discussed in the TSC meeting today. Consensus was that we should try it out unless somebody objects in this issue in the next week (ie by Sep27th)

[mhdawson]

@dadinolfi I requested a CVE yesterday, just wondering if you can check if we'll get it soon ? At the same time we should probably agree on the next steps for us becoming a CNA as well.

[mhdawson]

@dadinolfi I just requested a second one right now as well, wanted to let you know in order to avoid confusion as its the first one that I'd like to get ASAP for https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/

[mhdawson]

@dadinolfi I received the second one but not the first one. If you can take a look at why we've not had a response on the first one that would be great.

[dadinolfi]

I'm looking into it.

[dadinolfi]

Our Content folks believe both requests had been replied to. Just in case:

CVE-2017-14849
and
CVE-2017-14919

[sam-github]

@mhdawson looks like there is general approval (and no objection) for us becoming a CNA. What are the next steps? What process needs to be put in place?

[dadinolfi]

From the MITRE side, we need the following four bits of information to proceed:

• The scope that the CNA would cover. For example, Microsoft's scope is "All Microsoft products". Yours might be something like "All actively-developed versions of software developed under the Node.js project".

• Public contact points. What email address or web address should we direct someone to who asks us for a way to contact you about CVE-related issues?

• Private contact points. We maintain a list of administrative contacts that we can reach out to directly in case there are issues that require immediate attention. This is typically one or more email addresses or a group mail alias.

• Email addresses to add to the CNA email discussion list. This is a closed mailing list that is used for announcements, sharing documents, or discussion relevant to the CNA community. The list rarely has more than ten messages a week.

Once I have these bits of information, I will ask the CVE Content Team to send you your initial block of CVE IDs. When you have a vulnerability to assign, you would take a CVE from that block, create the entry request (per Appendix B of the CNA Rules or using the JSON format described here: https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema ), and ask me to review it. I'll give you some feedback regarding the content and formatting. Once we are happy with it, you can submit it through the regular method (https://cveform.mitre.org/) or through the new GitHub-based process that I can set you up with.

Please let me know if you have any questions.

[sam-github]

@dadinolfi We definitely want to be a CNA for all projects administered by the Node Foundation, above info is great, thank you.

Can we, as well, be a CNA for thirdparty modules published to npmjs.org? If so, can we do it under the same CNA/block, or do we need a seperate application?

We will soon be accepting reports of vulnerabilities in these modules, it would be convenient to issue CVEs for them, even though the Node Foundation didn't write and publish those modules.

[mhdawson]

@dadinolfi to confirm I have both CVE's thanks.

[mhdawson]

@sam-github we have agreement to act as a CNA for Node core issues, I think we'd need to get further agreement as well as find people who are willing to do the work for third party modules before expanding the scope.

I suggest we start by ramping up to be a CNA just for node-core and then expand once we are comfortable with that.

[dadinolfi]

If no one else has those modules as part of their CNA scope, there would be no barrier to you assigning CVE IDs to vulnerabilities disclosed in those. By including them explicitly in your scope, though, you'd be taking on the responsibility of being the one to assign CVE IDs for them for all cases, and other CNAs would send people looking for CVE IDs for those modules to you.

[mhdawson]

Submitted request for Node.js to become CNA and manage CVE's

First cut at CVE management process #60

[dadinolfi]

I tried subscribing the email address you gave me to our cve-cna-list mailing list, but our mail server got a recipient rejected message when we tried to send to it. Is the address you gave me functioning?

Thanks.

-Dan

[mhdawson]

Email aliases PR had not yet landed, all in place now.

Process has been documented so we should be good to go. Landing.