[Openvas-plugins] Handling the "no solution" problem

Chandrashekhar B bchandra at secpod.com
Wed Dec 11 13:13:02 CET 2013


Hello Jan,

There are products which are outdated/dead that'll never have solution. That
is another condition to consider. There may be workarounds and workarounds
could be to uninstall the product in some cases. 

If you put a timeline like "....last one year", we need to keep that
timeline updated. For NVTs that do not have solution for an year, we can put
a general message like this,

"No solution or patch is available since the disclosure of this
vulnerability."

If there is a workaround,

"No solution or patch is available since the disclosure of this
vulnerability. The workaround is to disable 'config' setting."

Thanks.
Chandra.

Saner Personal
A free vulnerability mitigation
software. Build strong defense.
http://www.secpod.com/saner-personal.html

-----Original Message-----
From: Openvas-plugins [mailto:openvas-plugins-bounces at wald.intevation.org]
On Behalf Of Jan-Oliver Wagner
Sent: Wednesday, December 11, 2013 12:18 PM
To: openvas-plugins at wald.intevation.org
Subject: [Openvas-plugins] Handling the "no solution" problem

Hello,

currently we have a situation where many NVTs have a  tag_solution with a
text like this:

"No solution or patch is available as of 06th December, 2013. Information
regarding this issue will update once the solution details are available."

It seems that for many products, like wingate (CVE-2008-3606,
scripts/2008/secpod_wingate_imap_dos_vuln_900201.nasl) no solution was
provided for a long time and very like will not ever.

I propose for such cases to replace the above text by something like

"No solution or patch was made available for at least one year. Likely none
will be provided at all other than an upgrade to a newer release."

Better phrases for the core message are welcome.

Also: Is 1 year a appropriate duration until we can conclude there will be
no solution anymore?

Best

Jan

--
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR
B
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-plugins mailing list
Openvas-plugins at wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.3426 / Virus Database: 3658/6895 - Release Date: 12/05/13



More information about the Openvas-plugins mailing list