This blog post by Oracle Linux engineers Daniel Kiper, Alexandr Burmashev, John Haxby and Jan Setje-Eilers tells the inside story of how the “BootHole” GRUB2 vulnerability was reported and resolved. Daniel and Alexsandr are maintainers for GRUB2 and are responsible for that code across all platforms. Oracle customers can find information about the impact of CVE-2020-10713 at this link.
As GRUB2 upstream maintainers, Oracle developers took the lead on both the disclosure coordination and the technical solutions. In their role as community maintainers for GRUB2, Daniel and Alexsandr were notified of the security vulnerability and immediately began analyzing the impact of these vulnerabilities, coordinating the cross-vendor industry response, and ensuring that this vulnerability would be fixed swiftly. In the end, this coordination effort would entail around 100 individuals from 18 companies.
CVE-2020-10713, the “BootHole” vulnerability, affects systems using UEFI Secure Boot signed operating systems and has a CVSS Base Score of 8.2.