[Info-vax] Security and CVE Counts across Disparate Systems, Again (was: Re: VMS Software needs to port VAX DIBOL to OpenVMS X86 platform)
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Dec 21 11:17:06 EST 2020
On 2020-12-21 01:18:35 +0000, Simon Clubley said:
> When VMS has the same number of people probing it daily that Linux does
> then you can do that comparison. Until then, the comparison means
> absolutely nothing.
To extend this...
When the OpenVMS owners even *log* CVEs, when others *target* OpenVMS,
when the variety of components receiving CVEs within an OS are
comparable, etc., *then* comparing CVE accounts... will still be less
than a pile of manure mulch.
There's a whole pile of SMH CVEs waiting, for anybody that wants to
investigate those. I've verified a couple against OpenVMS, and they do
work. But those more recent SMH CVEs were never logged against OpenVMS,
only Linux and Windows. I don't think that NTP reflection attack was
logged as a CVE against OpenVMS, either. The applicable Apache CVEs
definitely weren't logged against OpenVMS.
"But Apache isn't part of OpenVMS!" is quite true, but then various of
the OSes often compared do include Apache in their CVE counts. And many
other pieces OpenVMS does not. BIND, for instance, is present, and
there've been various BIND updates since the version that has shipped
with TCP/IP Services. Which means a less-problematic CVE count
comparison has to filter all those other pieces out, and account for
the OpenVMS CVEs that were fixed but not logged. And that's still
subject to differing vendor policies and differing researcher policies
around logging CVEs.
That NTP reflection attack:
https://groups.google.com/g/comp.os.vms/c/s_Oq-Oug76I/m/uWfSOz5fmosJ
Apache: https://www.cvedetails.com/vulnerability-list.php?vendor_id=45
SMH: https://www.cvedetails.com/google-search-results.php?q=smh&sa=Search
etc.
So in conclusion... comparing CVEs across wildly-disparate operating
systems with disparate CVE-logging policies provides a pile of "data"
that is... less than the argument that the author might think it is.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list