Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 24 Oct 2014 16:02:53 -0400 (EDT)
Subject: Re: Duplicate Request: CVE-2013-4444 as a duplicate of CVE-2013-2185

Hash: SHA1

> Red Hat Product Security handled this issue as CVE-2013-2185

In cases of disputes about the validity of a vulnerability with
respect to a specific threat model, it's sometimes possible to have
multiple CVEs. says:

> A remote attacker able to supply a serialized instance of the
> DiskFileItem class, which will be deserialized on a server, could use
> this flaw to write arbitrary content ...
> The Apache Tomcat team does not agree that this is a valid security
> flaw; they contend that an application performing untrusted
> deserialization is inherently insecure.

This suggests a completely general case in which the serialized
instance could come from an arbitrary untrusted source in an
application-specific way. Apparently, from the perspective of the
Apache Tomcat maintainer, they are not interested in recognizing the
completely general case as a vulnerability. Thus, from their
perspective, there are no affected versions.

The CVE-2013-4444 section of
discusses a much more specific threat model. From the perspective of
the Apache Tomcat maintainer, this is recognized as a vulnerability
with the affected versions of 7.0.0 through 7.0.39.

Both parties apparently agree that changes such as:

 -public interface FileItem extends Serializable, FileItemHeadersSupport {
 +public interface FileItem extends FileItemHeadersSupport {

should have occurred. However, there isn't agreement on exactly what
is the motivation for making the change.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.