CVE's. Gamified? Maybe. Useful? Maybe. Fast-becoming-too-complex to manage? I think so.

But. This is currently one of the best ways of unified reporting & alerting of vulnerabilities to a wide audience. There's certainly room for improvement.

Recently, I got an inside view on the process.

My current ${DAY_JOB} is heavily a Red Hat shop. We're using quite a few of their offerings, including Mirror Registry which is a packaged single-node Quay instance for disconnected environments container hosting.

Is Quay pronounced "Kee" or Kway? Ancient scholars maintain the meaning was lost long ago...

I was spinning up several Mirror Registry deployments across a few disconnected environments, when I realized something.

  1. They all had identical CSRF SECRET_KEY values
  2. They all had literally password for Postgres and Redis (hey, I used literally correctly!)
  3. They all had identical Database SECRET_KEY values

This... is not optimal.

So. I did 2 things. Well, 3. But lets talk about the first two.

  1. I emailed Red Hat Security [email protected] per their documented procedures on 23 Feb 2024
  2. I prepared a PR to resolve the issue, and submitted after coordinating with Red Hat Security.

The initial email exchange went smoothly and rapidly, then.... Things languished. No response for 1.5 months, and I finally... well, I finally resorted to the method everybody who gets fed up with waiting. I tweeted angrily and wouldn't ya know, 2 hours later we had forward progress.

And, surprisingly, to me at least - they issued 4 CVE's for these reported issues.

  • CVE-2024-3622
  • CVE-2024-3623
  • CVE-2024-3624
  • CVE-2024-3625

To be honest, I wasn't looking for CVE's, I'm not a bug bounty enthusiast (and it doesn't look like Red Hat even participates in any!) I'm just a server wrangler who doesn't like hard-coded passwords.

So, it was fun to contribute back to a project that has provided value.

It was cool to be on the submitting end of a security report (for once)

And then, uh... Well, I did say 3 things, right? So:

3: I helpfully included a bug so .... another PR to fix that issue.

At the end of the day, some people love CVE's, some people hate them and some just like calculating CVSS's way too much. They're a tool, a method for cataloguing and communicating Security vulnerabilities in a (mostly) consistent manner.

Use the tools we have available, and patch those bugs!

(And please, please don't hard-code creds...)