I am currently in the process of filling out the 18031 RED Cybersecurity certification documentation. I am currently analyzing the security vulnerabilities list of NCS v1.4.2 (link below) and noticed that its only referencing vulnerabilities for the zephyr project. I had a couple questions for your team. Do the other main libraries (NCS and NRFXLIB) have a list of security vulnerabilities that would be applicable to the 18031? Are there any other libraries security vulnerabilities that would also be applicable to the 18031? I'm currently assessing specific version of mbed_tls as well for any security vulnerabilities. Any info on this subject would be greatly appreciated! docs.nordicsemi.com/.../vulnerabilities.html

NRF Connect SDK / NRFXLIB security vulnerabilities

Jameson 4 days ago

I am currently in the process of filling out the 18031 RED Cybersecurity certification documentation. I am currently analyzing the security vulnerabilities list of NCS v1.4.2 (link below) and noticed that its only referencing vulnerabilities for the zephyr project. I had a couple questions for your team.

Do the other main libraries (NCS and NRFXLIB) have a list of security vulnerabilities that would be applicable to the 18031?
Are there any other libraries security vulnerabilities that would also be applicable to the 18031? I'm currently assessing specific version of mbed_tls as well for any security vulnerabilities.

Any info on this subject would be greatly appreciated!

docs.nordicsemi.com/.../vulnerabilities.html

Parents

0 Øyvind 10 hours ago

Hello, I've been assigned you ticket and currently investigating internally.

I hope to get back to you within Thursday or Friday this week.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Jameson 6 hours ago in reply to Øyvind

Thanks Øyvind!

I have some additional questions as well based on me digging in more.

3. I think I misunderstood the `vulnerabilities.html` document as being the active vulnerabilities for the zephyr product. After reading the top it seems like its the vulnerabilities RESOLVED for the current release. Can you confirm?

4. I looked up the specific zephyr product/version in the NVD that I'm using ncs 1.4.2 and zephyr 2.4.0 (its a bit behind). Would this be the correct list to reference for current vulnerabilities for the zephyr repo used within the nrf connect sdk?

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Ao%3Azephyrproject%3Azephyr%3A2.4.0%3A-%3A*%3A*%3A*%3A*%3A*%3A*
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Jameson 6 hours ago in reply to Øyvind

Thanks Øyvind!

I have some additional questions as well based on me digging in more.

3. I think I misunderstood the `vulnerabilities.html` document as being the active vulnerabilities for the zephyr product. After reading the top it seems like its the vulnerabilities RESOLVED for the current release. Can you confirm?

4. I looked up the specific zephyr product/version in the NVD that I'm using ncs 1.4.2 and zephyr 2.4.0 (its a bit behind). Would this be the correct list to reference for current vulnerabilities for the zephyr repo used within the nrf connect sdk?

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Ao%3Azephyrproject%3Azephyr%3A2.4.0%3A-%3A*%3A*%3A*%3A*%3A*%3A*
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data