[VIM] Fwd: Question about advisory and discrepancy between IBM / XForce

Brian Martin brian at opensecurityfoundation.org
Fri Dec 21 21:33:48 CST 2012


I got a bounce from the xforce at iss.net address that worked for so many 
years. No reply from IBM PSIRT yet. XForce now wants contact via a form 
that asks for name, phone number, address, and more, because it is a 
sales form that I am not going to waste time with.

Throwing this out in case anyone else has insight.

-------- Original Message --------
Subject: Question about advisory and discrepancy between IBM / XForce
Date: Fri, 14 Dec 2012 12:23:37 -0700
From: Brian Martin <brian at opensecurityfoundation.org>
To: psirt at vnet.ibm.com
CC: Daniel Moeller <daniel at opensecurityfoundation.org>,  ISS XForce 
<xforce at iss.net>


IBM & X-Force;

The Nov 19, 2012 advisory on IBM Power 5 Systems [1] describes a flaw
where firewall rules are not always executed, leading to network
configurations allowing for privileged connections that would otherwise
be denied. This advisory references CVE-2012-4856 and ISS XF 79736.

ISS XF 79736 [2] describes the flaw as multiple default accounts, and
also references CVE-2012-4856.

These are two fairly distinct and different issues, that should not
receive the same CVE assignment. Could one of you clarify if there are
really two issues here, or if there is miscommunication between
departments in documenting the vulnerability?

Thanks,

Brian Martin
OSF / OSVDB.org

[1] http://aix.software.ibm.com/aix/efixes/security/squadrons_advisory.asc
[2] http://xforce.iss.net/xforce/xfdb/79736






More information about the VIM mailing list