Keeping Up with Open Source Security Vulnerabilities

Keeping Up with Open Source Security Vulnerabilities

Yesterday we held our first Black Duck MasterClass, and if you missed it, you can still view the recording here. At 90 minutes long, it's full of information. We tried to keep it balanced and not go too far into the weeds, but tailoring content to a broad audience requires concessions. We’re going to have our next MasterClass in early January and very much want your feedback and suggestions on content.

One of the attributes of the MasterClass format is interactivity. We welcome questions, and take the time to address them during the session. In fact, if you view the recording, you’ll find we’re not afraid to interrupt the speaker with a question.

Open Source Security Vulnerabilities in glibc

One segment of the MasterClass contained a timeline for a glibc vulnerability disclosed earlier this year. CVE-2015-7547 covers a getaddrinfo stack-based buffer overflow. This vulnerability started out as a defect report in July 2015 and ultimately resulted in a high profile disclosure in February 2016. One live attendee at the MasterClass called me out on the timeline stating:

WTH... debian had fixed the GHOST glibc vuln (CVE-2015-0235) at 27.1.2015 for all distributions receiving security support. Your timelines are quite far off!

Challenges Keeping Up

This question highlights a number of challenges in keeping up with open source security vulnerabilities. In this case, there was confusion over which glibc vulnerability I was describing. CVE-2015-7547 and CVE-2015-0235 are two entirely different problems within the same package. It just happens that both were high profile, and CVE-2015-0235 was branded with the marketing name GHOST. Putting a marketing name on a vulnerability increases its visibility, which in turn means Site Reliability Engineers (SREs) remember it when they heard about it. The best example of this phenomenon is Heartbleed. We all remember Heartbleed and the work required to sort out fixes.

In the end what we see is just how confusing it is to keep up with vulnerability reports. New reports are constantly being issued. National data feeds often lag significantly, a case in point is Dirty Cow, whose CVE entry (CVE-2016-5195) has yet to make the NVD a week after hitting the press. Delays in data flow increase the risk of compromise, so having a clear understanding of what is running in an environment is critical. Having proactive notification of issues impacting your environment is something we all can have. Keeping up with open source vulnerability management need not be hard. Black Duck can help.

Black Duck Container Security MasterClass - Security Response Process

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Should You Replace Apache Struts? Maybe. Or, Maybe Not.

| Sep 14, 2017

It’s one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it's reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution

| MORE >

RSA Singapore Review - The Perils of Security Hubris

| Aug 4, 2017

With RSA Singapore now in the books, it’s time to look back on the event and a core theme of experiential learning. The stage was set for this with IBM’s Diana Keely highlighting how today’s attacks are rather reminiscent of successful tactics from the past — a form of cyber groundhog day. She

| MORE >

A Voracious Appetite for Open Source Software Worldwide

| Jun 15, 2017

At Black Duck Software, we work with the community and organizations to understand what responsible open source usage means. As part of that process, we view our connection to the open source community as a key component to both understanding where the development community is and educating them

| MORE >