Security

Submit a CVE Issue

openEuler’s security system scans CVE issues and submits CVE issues to the security committee of openEuler community. The issue title of a CVE issue must start with a CVE ID, followed by a brief description of the CVE issue, for example,

CVE-2019-11255: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation

Security Group Distributes CVE Issues

The security Group will distribute the CVE issues to the related repos. CVE issues contain the following information:

  • Detailed description of the vulnerability (the following information is provided by the CVE scanning tool)

    • [CVEID]: Including the corresponding CVE link

    • [PRODUCT]: Information provided by CVE, including the vendor, developer, or project, and the name of the actual software or hardware that has the vulnerability

    • [VERSION]: Including version, release date, or any discrepancies used by vendors, developers, or projects to distinguish release versions. It can also be described with a specific version number, version range, or “all versions before / after version number or date”.

    • [PROBLEMTYPE]:

    • [REFERENCES]: related URL and reference descriptions

    • [DESCRIPTION]: Detailed description of the vulnerability, including description of the type of attack using the vulnerability; impact of the vulnerability; software components in the software product affected by the vulnerability, any attack vector that can exploit this vulnerability

    • [ASSIGNINGCNA]: assign the name of CNA

Handle CVE Issues

Maintainer identifies and distributes CVE issues. Solutions to CVE problems can be provided by contributors and submitted for review by the Maintainer or Committer. When submitting, please associate with CVE ISSUE and provide complete information in Issues:

  • Is it a loophole? (Am I vulnerable?):

    • Describe the scenarios of the problem (including software and hardware and interaction scenarios)
    • Impact and scope of impact
    • How to confirm whether the version used contains the issue
  • How to mitigate the impact of the vulnerability (How do I mitigate the vulnerability?)

    • Short-term mitigation plan
    • Long-term mitigation plan: such as patch installation address, installation method, etc.   
  • Rating for this vulnerability

CVSS Scoring Sheet
Scoring Item openEuler NVD
CVSS v3 Base Score 7.3 7.8
Attack Vector Network Local
Attack complexity Low 7.8
Privileges Required None 7.8
User Interaction Low Required
Scope Unchanged Unchanged
Confidentiality Low High
Integrity Impact Low High
Availability Impact Low High

  • Detailed description of the vulnerability (the following information is provided by the CVE scanning tool)

    • [CVEID]: Must include the corresponding CVE link
  • [PRODUCT]: Information provided by CVE, including the name of the vendor, developer, or project, and the name of the actual software or hardware that has the vulnerability   

    • [VERSION]: Includes version, release date, or any discrepancies used by vendors, developers, or projects to distinguish release versions. It can also be described with a specific version number, version range, or “all versions before / after version number or date”.
  • [PROBLEMTYPE]:

    • [REFERENCES]: related URL links and reference descriptions
  • [DESCRIPTION]: Detailed description of the vulnerability, including: description of the type of attack using the vulnerability; impact of the vulnerability; software components in the software product affected by the vulnerability; any attack vector that can exploit this vulnerability   

    • [ASSIGNINGCNA]: assign the name of CNA

CVE Issues Management Policy

  • Fast Way: The openEuler rating is a serious security issue. The openEuler security team will start the fast track to provide solutions to the LTS versions involved and within the life cycle.

  

  • Common Integration: For security issues that are important and affect the following, you can choose the following strategies based on the severity and scope of the problem:

    • There are security problems in the official version. Depending on the problem, the selection will be affected:

      • Strategy 1: Patches are released to all LTS & community versions involved and within the life cycle
      • Strategy 2: The patch is released to the latest LTS version & community version
      • Strategy 3: Patches are incorporated into the currently developed LTS version & community version (such issues will not issue a security bulletin)
    • Security issues that have not flown into the official version: handled as a development version of ISSUE and incorporated into the current development version. Such issues do not require a security announcement;

CVE Issues Proceure