Security Working Group meeting - Wednesday Jan 4 - results

Joseph Reynolds jrey at linux.ibm.com
Thu Jan 5 05:59:39 AEDT 2023


An OpenBMC Security Working Group meeting is scheduled for this 
Wednesday Jan 4 at 10:00am PDT.

The meeting is on Discord voice.

=== MEETING ACCESS ON DISCORD VOICE  ===
First, join Discord via https://discord.gg/69Km47zH98 
<https://discord.gg/69Km47zH98> and confirm via email.
Then, to join: navigate Discord > OpenBMC > Voice channels >  Security ~ 
https://discord.com/channels/775381525260664832/1002376534377635860 
<https://discord.com/channels/775381525260664832/1002376534377635860>


We'll discuss items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
items proposed on the Discord OpenBMC #security channel, and anything 
else that comes up:


Sorry, I neglected to send the meeting reminder.  There was one topic...

Attended (Discord screen names): Attendance was low, possibly due to the 
recent holiday - Joseph Reynolds, Dick Wilkins, ddaniil, ssekar.


1 CVE-2022-40259

DISCUSSION:


Per Joseph, the OpenBMC BMCWeb team investigated CVE-2022-40259 and 
believes it does not apply to OpenBMC.  Will remove this agenda item.


In general, is it fair to ask if a non-OpenBMC CVE applies to OpenBMC?   
Yes, this analysis is typically requested for high severity CVEs.  For 
example, a security response team needs definitive information to be 
able to make a statement like “We investigated CVE xyz and it does not 
apply”.


In general, do security response teams (such as OpenBMC SRT) reach out 
to competing projects for help to perform confidential analysis?  Yes, 
for example, UEFI reaches out to other SRTs as needed.  It is helpful 
when analyzing a problem to first expand the scope of the problem, for 
example to ask if it affects other implementations.


We discussed alternate options for working with the OpenBMC SRT:

  *

    Join the OpenBMC SRT.  Note that membership is generally limited to
    active members who make fixes in the OpenBMC project.

  *

    Attend security working group meetings (this meeting).  But note
    that private discussions cannot be discussed in this public meeting,
    so information about vulnerabilities will be delayed compared to
    other communication methods.

  *

    The OpenBMC SRT can reach out to other SRTs as needed.


How can OpenBMC SRT reach out to other SRTs?  Use their confidential 
vulnerability reporting process (variously named Product Security 
Incident Response Team (PSIRT), SIRT, Security Team, etc).




Access, agenda and notes are in the OpenBMC Security wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph


More information about the openbmc mailing list