If you’re running an Apache Struts 2 server and haven’t patched for CVE-2017-5638, stop reading right now and do so. Researchers are reporting that exploits of the vulnerability are trivial to carry out, highly reliable and require no authentication. While NIST has only had a placeholder for the Apache Struts 2 vulnerability, Black Duck has been reporting on it to customers who use this component. Our reporting started on Monday the 6th (the same day the patch was released), through our Enhanced Vulnerability Data (EVD) insight embedded into the Black Duck Hub, which provides much deeper analysis than the NVD alone.
Although CVE-2017-5638 is leading the news cycle, there are now 380 other CVEs listed in the National Vulnerability Database for the month of March. In this week’s open source and cybersecurity news:
Mike Pittenger, Black Duck’s vice president of security strategy, provides insight on the Apache Struts 2 vulnerability and the WordPress SQL Injection Bug. The Forrester Wave Report on software composition analysis highlights the clear prominence of open source as well as the need for open source vulnerability management. Legal experts examine the benefits and risks of open source use.
A new pairing of Microsoft and Black Duck technology can help developers spot open source code with licensing and security risks. How a three-pronged approach to application security is more effective than SAST or DAST alone. And the story behind Google’s emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.
Critical Vulnerability under “Massive” Attack Imperils High-impact Sites
via Ars Technica: In a string of attacks that continue to escalate, hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies.
The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.
Black Duck Commentary on Critical Apache Struts 2 Vulnerability
“Obviously, zero day vulnerabilities are a problem, writes Mike Pittenger, “in particular when an exploit is publicly available as in this case. By definition, no patch exists for zero day vulnerabilities, and the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble. A vulnerability in a component as popular as Struts creates a very target-rich environment for attackers with exploits already reported to be in the wild.”
“Fortunately, the community was quick to create, test, and release a patch. Unfortunately, it is likely that this vulnerability will cause problems for years to come. Black Duck’s 2016 on-demand audit report showed the average age of vulnerabilities in open source used in commercial applications was over five years old, and over 10% still were vulnerable to Heartbleed.”
Microsoft Integrates Black Duck Open Source Tools with Visual Studio
Is someone sneaking open-source code as their work into your Visual Studio project? Does some of the open-source code you're already using have known bugs in it? This new pairing of Microsoft and Black Duck technology can help with both problems reports ZDNet.
Advocating a Three-pronged Approach to Managing Application Security Risk
Today, more than 80% of cyberattacks target software applications, writes Black Duck’s Patrick Carey in TechCentral.ie. Unsurprisingly, there is an array of application security tools to help companies address security risks, varying in both approach and coverage. For example, traditional application security tools – Dynamic Analysis Security Testing (DAST) and Static Analysis Security Testing (SAST) – are effective in finding bugs in the application code internal developers write. However, they are not as effective in identifying open source software vulnerabilities. Most open source vulnerabilities are reported by security researchers and not found by DAST and SAST application security tools.
Google Leads ‘Guerilla Patching’ of Big Vulnerability in Open Source Projects
Referred to as “Mad Gadget” by Google (aka the Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420), the flaw was first highlighted by FoxGlove Security in November of that year, months after the first proof-of-concept code garnered almost zero attention.
Forrester Wave Report Highlights The Clear Prominence Of Open Source
via BusinessSolutions: The security industry is recognizing the importance open source has within enterprise applications and ultimately security, according to Forrester research. The Forrester Wave: Software Composition Analysis, Q1 2017 focused on Software Composition Analysis (SCA) and found developers use open source components as their foundation and highlights how security pros are turning to SCA tools to reduce risks.
WordPress SQL Injection Bug in NextGen Gallery
“The issue here isn’t that another vulnerability has been disclosed, it’s the fact that many organizations are negligent in monitoring these vulnerabilities and upgrading to remediate the issue,” notes Mike Pittenger on the WordPress SQL injection bug In NextGen Gallery.
Businesses Need Rigorous Policies and Procedures for Open Source Software to Harness Benefits and Counter Risks, Say Experts
In the context of an M&A transaction, open source software presents potential risks for a buyer where the license terms have not properly been complied with, writes Iain Connor, James Robb and Tom Hadden of Pinsent Masons. Issues or disputes around open source code can result in severe delays to completion of deals, or an increase to the proportion of the purchase price withheld from being paid until certain conditions are satisfied. In other cases, unsatisfactory arrangements around open source software, such as incomplete audit trails, might lead to the devaluation of the target business or, in extreme cases, a deal falling through altogether.