Yesterday we held our first Black Duck MasterClass, and if you missed it, you can still view the recording here. At 90 minutes long, it's full of information. We tried to keep it balanced and not go too far into the weeds, but tailoring content to a broad audience requires concessions. We’re going to have our next MasterClass in early January and very much want your feedback and suggestions on content.
One of the attributes of the MasterClass format is interactivity. We welcome questions, and take the time to address them during the session. In fact, if you view the recording, you’ll find we’re not afraid to interrupt the speaker with a question.
Open Source Security Vulnerabilities in glibc
One segment of the MasterClass contained a timeline for a glibc vulnerability disclosed earlier this year. CVE-2015-7547 covers a getaddrinfo stack-based buffer overflow. This vulnerability started out as a defect report in July 2015 and ultimately resulted in a high profile disclosure in February 2016. One live attendee at the MasterClass called me out on the timeline stating:
“WTH... debian had fixed the GHOST glibc vuln (CVE-2015-0235) at 27.1.2015 for all distributions receiving security support. Your timelines are quite far off! https://lists.debian.org/debian-security-announce/2015/msg00025.html “
Challenges Keeping Up
This question highlights a number of challenges in keeping up with open source security vulnerabilities. In this case, there was confusion over which glibc vulnerability I was describing. CVE-2015-7547 and CVE-2015-0235 are two entirely different problems within the same package. It just happens that both were high profile, and CVE-2015-0235 was branded with the marketing name GHOST. Putting a marketing name on a vulnerability increases its visibility, which in turn means Site Reliability Engineers (SREs) remember it when they heard about it. The best example of this phenomenon is Heartbleed. We all remember Heartbleed and the work required to sort out fixes.
In the end what we see is just how confusing it is to keep up with vulnerability reports. New reports are constantly being issued. National data feeds often lag significantly, a case in point is Dirty Cow, whose CVE entry (CVE-2016-5195) has yet to make the NVD a week after hitting the press. Delays in data flow increase the risk of compromise, so having a clear understanding of what is running in an environment is critical. Having proactive notification of issues impacting your environment is something we all can have. Keeping up with open source vulnerability management need not be hard. Black Duck can help.