Incorrect CVE listed in HT205375 - https://support.apple.com/en-us/HT205375
Originator: | bruienne | ||
Number: | rdar://32995209 | Date Originated: | 26-Jun-2017 09:44 PM |
Status: | Open | Resolved: | |
Product: | Tech Note/Q&A | Product Version: | N/A |
Classification: | Security | Reproducible: | Always |
Summary: Under the "EFI" heading in HT205375 an incorrect CVE is attributed. Steps to Reproduce: 1. In Safari load https://support.apple.com/en-us/HT205375 2. Find the EFI heading 3. Note that CVE-2015-4860 is listed as supposed attributed CVE for the EFI vulnerability ("An attacker can exercise unused EFI functions") resolved by the update 4. Search for CVE-2015-4860 on cve.mitre.org 5. Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860 does not match the described EFI vulnerability 6. Search "Security Update 2015-004 Yosemite" on lists.apple.com/archives/security-announce 7. Find https://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html 8. Note that in APPLE-SA-2015-10-21-4 the attributed CVE is listed as CVE-2015-7035 9. Search cve.mitre.org for CVE-2015-7035 10. Note that the description matches the described EFI vulnerability Expected Results: The expected result is for the listed CVE to match the description in the CVE database. Actual Results: The CVE ID that is listed refers to an Oracle Java vulnerability. Version: N/A Notes:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!