Clarify whether the state of being EoL is a vulnerability and can receive a CVE assignment #10
Comments
|
Agreed - the mere fact of EOLness is not a vulnerability. Also, producers routinely issue fixes for otherwise end-of-service software, sometimes begrudgingly, but often in the face of widespread exploitation. CVEs for EOL software can depress this kind of emergency activity and will put users at risk, since it gives those producers and artificial "out." |
|
My personal opinion:
Totally agree it would be nice if there were existing other channels to signal EOL-ness. Either at the repository level (like NPM) or through package meta-data (multiple specs / committees are discussing this but in practice that would be years away before adoption). In the absence of those mechanisms, CVEs are about the one universally accepted mechanism for signaling risk. So, while imperfect and only when (1) isn't feasible, this practice of generic EOL+risk CVEs might still have more benefit than harm? |
|
My (current) opinion for the record:
|
|
Great thoughts all around. My current strong-convictions-loosely-held are:
Also, responses to some comments both here and in the slack thread:
I agree with this in spirit, but in practice software producers already & always have said "out" – and it's by far more common than indefinitely accepting and managing vulnerability reports for long dead software.
Agreed. Security Policy is used in several places but never defined, and fwict from multiple POVs. That said, in this context I think it's fair to assume a "security policy" to be defined along the lines of If that logic holds, I'm strongly of the opinion that some form of
If the CVE program's purpose is to identify, catalog, and disclose cybersecurity vulnerabilities, a software maintainers explicit declaration that there will be no oversight on a project should absolutely be considered a vulnerability. |
This has essentially been our reasoning when emitting the CVE for Node.js EOL versions. Note that it might have been lost in the noise: all the Node.js versions included in CVE have multiple unpatched vulnerabilities. All the people affected are essentially using vulnerable software. ——
An alternative option is to always include EOL versions in new CVEs even if a new vulnerability has not been assessed for them. This likely creates a lot of edits to the CVEs, which we don’t have the resources to do, and it really shouldn’t be done by 3rd parties that do not know our project. However, finding a way to make this work might be possible. Is this a preferred route? |
|
I do not disagree that EOL status is important security information, and as @mcollina notes, EOL software is likely accumulating unfixed vulnerabilities. The "narrow" question for CVE is whether or not CVE should be the mechanism to convey this. I have no great experience or preference, but do any of these efforts help? https://openeox.org/ That is, is there a "better" way to convey EOL than CVE? |
In this view, would a unit of software get one assignment when that unit becomes EOL? |
|
Thanks @zmanion. I agree with your take here - the mere fact that software is EOL should not be considered a vulnerability. I also agree that it is a software risk, but that feels out of scope of the CVE system for me. There are two ways vulnerabilities can be reported against EOL software today:
This does leave a gap in vulnerability reporting for the second case here which a CVE such as CVE-2025-23089 might have been designed to address, but I feel the CVE system is the wrong place to close that gap. Minor and patch releases of software are almost always "unsupported" as soon as a new version comes out. For example, the current release of Node.js is v23.6.1. This means v23.6.0 is effectively EOL as well and will no longer receive security updates either. Trying to issue CVE ids to close this gap would require a new release or updated CPE metadata for every single release. |
Note that CVE-2025-23089 wasn't emitted when the release went EOL but when we shipped a new set of security releases for the supported lines. The result is that the EOL release lines are very likely vulnerable, but we don't have the bandwidth to clearly assess all the previous lines for all valid CVEs. Managers think they are safe because there no known vulnerabilities, and teams are not being given budget to allocate to upgrades. An alternative is to widen the range for all new CVEs and always include some past versions range out of caution (and mention it in the CVE). Would that be better?
I don't see any good, widespread alternative to convey "this release line has vulnerabilities in it, you are using EOL software and we are not assessing it". https://www.cve.org/Resources/General/End-of-Life-EOL-Assignment-Process.pdf covers the case of pure EOL vulnerabilities, but it provide close to no guidance for the mixed case we live daily. |
This is not how our release process works. Our release lines are only majors, and are the one receiving new releases with the security fixes. You can read more about our release process at: |
Thanks @mcollina! And fwiw: knowing that this particular instance of an "EOL CVE" does actually target vulnerable versions makes this a perfect example where this kind of approach seems warranted.
This is a SOLID question that a few of us have been wrestling with. Ideally, IMO, I would say yes. My thinking is that this current instance is a one-time "catch-up" – when the next version of Node hits EOL (specifically the "cut off" point where future CVEs will no longer be validated against said version) goes EOL, a much more narrow scoped EOL CVE for the most applicable range would be filed. (Again, using this example, but I'm in no way affiliated / speaking on behalf of node 😅 ) The end result is that I as a CVE consumer (whether security team, development, or GRC) will now be alerted that – according to the actual project + maintainers – am at risk for running this EOL software with an established vulnerability / threat vector. Isn't that the very reason for the CVE project? Granted, we can semantically argue whether said "EOL Vulnerability" is/isn't a specific credible issue vs a categorical one, but I'd argue if the CVE model doesn't support the real world application of it's principles then the model should be changed... and maybe that's where we tighten up the rules/policies so it's not free form chaos.
Oof please no. I see your rationale, but IMO this shuffles the unmanageable maintainer-burden of validating every issue against every historical version to the consumer's end (wrt making an informed decision about their risk profile). Far better to either leave the status quo or provide a broader stroke to signify it's up to consumers to measure the risk IMO. Emphasis added below:
Spring's actually a great example, as most list the subjectively relevant affected versions and then opt out with
Okay, I'll take a step back here. Again, clearly something I'm passionate about – but I think this is one of the most important decisions we could make for the next N decades of software development. I think it would benefit this thread to have the vendors/originators-of-software weigh in more on whether support of EOL in some form would produce better results. @zmanion I'm assuming we're not limiting the discussion here to just Node's EOL CVE, but happy to spin up new issues if preferable. Just lmk |
|
oss-security thread: https://www.openwall.com/lists/oss-security/2025/01/21/5 |
IMO this is a universal discussion/decision, not limited to Node.js. And at the risk of repeating myself or others, the narrow question is whether the CVE Program allows assignments for EOL. I believe there is broad agreement (including within the CVE Program) that knowing softare is EOL (and security fixes won't be provided, at least not by the original vendor/developer/maintainer) is important and useful information. |
I think we're saying the same thing just differently - my point is just that every patch release is immediately EOL as soon as a new patch release comes out. The same for minors, and that this is likely true for every open source project out there. |
This assignment documents that some versions of Node.js are EoL. It is my personal opinion and recommendation that being EoL is not a technical cybersecurity vulnerability that should receive a CVE ID assignment, but others may think differently. The decision should be documented in the CNA Operational Rules and probably also the End of Life Vulnerability Assignment Process documents.
https://www.cve.org/CVERecord?id=CVE-2025-23089
The text was updated successfully, but these errors were encountered: