Security Scan always reporting latest patch level #1528
Comments
|
same problem with 21. two different instances running 21.0.4.1 and 21.0.2.1 both reported as "latest patch level" (older scanned later)
this is not right per definition:
the rating of an instance running previous version could be A+ if no vulnerabilities are known and new versions don't ship additional hardening - but it definitely must not indicate "latest patch level". The definition lacks of B grade - maybe this was intended to gradually reduce rating for older patches without known vulnerabilities? PS: it become even more funny 22.1.0.1 is not "latest" while 21.x.x.x still is..
|
I was indeed rather aiming to change the definition. A service not running the latest available patch version must be considered insecure by definition, as the admin isn't utilizing the most basic security measure: to keep software up-to-date at all times. There might be a reasonable grace period (maybe a couple of days) after a new patch version has been released to allow some testing, but beyond that there's simply no reason not to update to the latest patch level. Nextcloud shouldn't endorse such conduct by still rating this "A" or even "A+". Utilizing rating "B" is a good idea, though. It's important to note that "B" should have an orange-ish color, since it's nevertheless risky and bad to do so. If there are two later patch levels, we should end up with an "F" for "no longer supported". Speaking of ratings, a Nextcloud instance with known vulnerabilities (rating C) is orange? Why is that? It's a security issue after all. If there is a security issue, we have a red flag for sure. I'm totally fine with differentiating how bad things are, they can always be worse, but if things are bad, they are bad ("red"), and not "still kinda okay" ("orange"). |
|
I agree common security best practice is to update fast, but I don't agree this habit is by definition more secure. Often new version improve security and reduce vulnerabilities, but I would keep this decision on vendor's side - so far new versions don't improve security somehow there is no reason to reduce the security score of preceding versions (new may even introduce new issues because of new functionality). One could have a discussion if A+ or A is better suited for this case but I strongly disagree the system should score orange B only because it doesn't run latest patch level - such habit makes the score completely useless. Each system should run supported and secure patch level - but given the fact new versions don't ship any security improvement there is no reason to consider them more secure.. For me A is good for each supported version without known security issues (maybe a green B - this fits more with @PhrozenByte expectations). |
Superseded patch levels aren't supported 😉 The first thing you'll get as an answer when reporting issues with older patch levels is to update to the latest one. The thing about this is rather easy: It's not always possible to fully comprehend whether a patch might have a security impact or not. Most patches solve issues that are no security issues itself, but might have some security impact in combination with other flaws. To be sure you have to invest quite some time for research - if even possible, considering the size of the whole Nextcloud ecosystem. Not every fix with potential security impact is a security fix and treated as such. There are "accidental security fixes", too. Furthermore, research focuses on the latest patch level - so issues with older versions can be missed by researchers. "Best practice" doesn't mean "yeah, we all know we should, but it's still kinda okay if we don't". If there is no reason not to update, you update. As I said earlier, there is a reasonable grace period in which delaying updates to do some stability tests is totally fine. But not for almost two months (like for Nextcloud 20.0.10 right now, which was superseded by v20.0.11 on 2021-07-01). By the way, "yeah, we all know we should, but it's still kinda okay if we don't" pretty much sums up how an orange score is interpreted. Thus I feel like missing an update should receive a matching score.
We're talking about patch levels here, not about major updates. Nextcloud 20 reaches EOL in October and until then it still can reach A+ or A - if it's the latest patch level of course. |
even patch levels could introduce new functionality. I can't speak if this is the case often but this can happen. Again the vendor should decide if the previous patch is less secure than the latest one ( in general I agree older patches should have some penalty on security scanner.. but I'm not such strict as @PhrozenByte is) |
This comment has been minimized.
This comment has been minimized.
|
one currently wide recognized issue cve-2021-41773 - only affects latest - at this time - version. thousands of admins who patched to this version are under attack.. previous versions might have security issues as well but compared to the really simple break out of server context it's less urgent.. |
|
How is this related to Nextcloud? Are you trying to make an "empirical case count: one" / "but this one time..." point? A single event doesn't change anything about what the recommendations from the majority of security researchers is. Anyway, you made your point, I made my point, neither you nor me are adding anything useful here. We've different opinions. That's okay. |
https://scan.nextcloud.com/ currently (Scanned at 2021-08-11 20:49) reports Nextcloud instances running v20.0.10 as "latest patch level", even though the latest release is v20.0.12. This is a bug.
The rating of this server still is A+. The rating of a Nextcloud instance not running the latest patch level should be a C at max, even though there are no known vulnerabilities.
The text was updated successfully, but these errors were encountered: