A couple weeks ago I published a blog titled “That Vulnerability is ‘Trending’ … So What?“. I didn’t think I would be publishing another on this topic, especially this fast. But I ran into another absurd case of a vulnerability “trending” and figured out why, which is even more ridiculous. I caused this…
A CVE came across one of our feeds that monitors Twitter for mentions of a CVE ID that isn’t in VulnDB. This happens frequently enough that I simply cannot remember all the ID numbers. So CVE-2022-2259 popped up and off to Google I went since it is RESERVED in CVE. The top hit looked promising, a Feedly link that referenced it.
So not only the CVE, but attributes CWE-416 as the root cause, which is a use-after-free condition. The Feedly threat intelligence “Leo” whatever-that-is says it was published almost a year ago, is “trending”, and that it is high severity. Should be easy enough to track down then!
Next, check the only other Google search result that might be relevant. An article published on HotHardWare talking about a vulnerability in Google Chrome. Towards the bottom they use CVE-2022-2259, which is actually a typo of CVE-2022-2295.
Now Twitter, for good measure! And that’s a let-down as there is a single mention of that CVE, and it was me!
So I ask, rhetorically, how is this “vulnerability” trending when it doesn’t exist? How did Feedly’s “vulnerability intelligence” determine this was a use-after-free when it isn’t even a legitimate vulnerability? How the hell did they determine that a single Tweet constitutes it “trending” and then rate it with such high severity?
That is not vulnerability intelligence at all. That is causing needless alarm for actual vulnerability intelligence providers that actually do real research instead of automated aggregation with a slew of assumptions thrown in. Sad and ridiculous.