November is here, and those of us in the US know what that means: the carved pumpkins of Halloween will soon be replaced by pumpkin pies, and the ooky spooky haunted house decorations will make way for the arguably scarier tradition of Thanksgiving family gatherings. However, there’s one occurrence that we can all count on to send chills down our spines all year round, and that’s the discovery of new open source security vulnerabilities — which brings us to one of my favorite monthly traditions: our list of top 5 new open source vulnerabilities in October.
WhiteSource’s trusted and hardworking Knowledge Team once again researched the WhiteSource database to put together a list of the top 5 new open source security vulnerabilities that we should all look out for. The WhiteSource database aggregates newly published open source security vulnerabilities from a variety of community resources, including the National Vulnerability Database (NVD), peer-reviewed security advisories, and issue trackers, to provide us with all of the data that we need in order to detect known open source vulnerabilities in our software projects.
Some of October’s top 5 list of new open source vulnerabilities grabbed a few headlines, but whether they created media buzz or not, all five vulnerabilities are connected to popular open source projects that many of us in the software development ecosystem are using.
So, here they are folks, October’s top 5 new open source security vulnerabilities, to help you make sure you get to them before the hackers do.
Vulnerability Score: High — 7.5
Affected versions: v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2
An improper input validation issue in vulnerable versions of the API server lets authorized users send malicious YAML or JSON payloads. This results in the server consuming excessive CPU or memory, and potentially crashing and becoming unavailable. This type of exploit is also known as a “Billion Laughs Attack”, because in its most popular example, the first entity is the string "lol", leading to the name "billion laughs". However, failing to detect a vulnerable version in our software projects is no laughing matter.
As containerized environments continue to flourish, projects like Kubernetes are getting more attention from the security community and publishing more fixes. If you, like so many other container users, are a Kubernetes fan, its best to tighten up your Kubernetes security practices, and make sure your version is up to date.
Vulnerability Score: High — 7.5
Affected versions: before 1.12.11 and 1.3.x before 1.13.2
According to the golang security announcement, invalid DSA public keys can cause a panic in dsa.Verify. The announcement goes on to specify that using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root.
Go announced that they released Go 1.13.2 and Go 1.12.11 to address this issue. The announcement recommended that all affected users update to one of these releases, and added that users that aren’t sure to simply choose Go 1.13.2.
Go has been gaining more and more popularity lately, followed closely by more eyeballs from the open source and security community. That means more Go vulnerabilities and fixes. If you, too, are excited about this relatively new project, make sure to keep it updated to avoid vulnerable versions.
Read more about this security issue and its fix.
Vulnerability Score: High — 7.3
Affected versions: before 4.3.0
Handlebars, an extension to the Mustache templating language, strikes again with a prototype pollution vulnerability similar to the one we featured a few months ago, in our April Top 5 New Open Source Vulnerabilities list.
Handlebars.js is described on its npm page as a “logicless templating language that keeps the view and the code separated from one another” for an easier experience.
Boasting nearly 9 million weekly downloads from npm, it appears the handlebar is far from going out of style.
In this case, according to the npm security advisory, a Prototype Pollution issue in vulnerable versions of handlebar could lead to Remote Code Execution. This is because templates might alter an Objects' __proto__ and __defineGetter__ properties, which an attacker could exploit to execute arbitrary code through crafted payloads.
In order to remediate, the npm advisory recommends upgrading to version 4.3.0 or later.
You can read more about this issue and its fix here.
Vulnerability Score: Critical — 9.8
Affected versions: before 5.2.4
WordPress, an open source and CMS darling that’s always on top of their issues, published quite a few critical, high and medium severity vulnerabilities in October, all of which were addressed in new WordPress version - 5.2.4.
This first issue, included in our top five, is A Server Side Request Forgery (SSRF) vulnerability that was found in all WordPress versions previous to 5.2.4. The issue is a result of the fact that the URL validation does not consider the interpretation of a name as a series of hex characters.
Another critical WordPress vulnerability published this month is CVE-2019-17670: also an SSFR issue, this one due to Windows paths being mishandled during certain validation of relative URLs.
Vulnerability Score: Critical — 9.8
Affected versions: prior to 0.73
A security issue was discovered in vulnerable versions of PuTTY, the popular open source network file transfer application. Vulnerable versions, when used on Windows, could open port-forwarding listening sockets improperly, which attackers could exploit to listen on the same port and steal an incoming connection.
According to Alex Scroxton of Computer Weekly, this is a 20-year-old vulnerability, discovered as a result of the comprehensive bug bounty program conducted by HackerOne on behalf of the European Union Free and Open Source Software Audit (EU-FOSSA). Early in 2019 when the European Commission announced this venture, it was received with mixed responses. Critics took issue with the fact that “while bug bounties can be a good thing to run, the real issue lies in supporting the project maintainers.” While the discovery of this critical bug might not address their concerns regarding the often thankless job of open source project maintainers, it’s certainly a relief for PuTTY users.
Considering how popular this tool is for those IT folk who need a remote connection to our PCs, it’s best you make sure that you’re using a secure version.
You can read more about the issue and its fix here.
Keeping Up With Your Open Source Security Vulnerabilities
October’s list of top 5 new open source security vulnerabilities has something for everyone. Containers, syntax, languages, file transfer, or content management — the projects included in this month’s top 5 might very well be in your environment. That doesn’t mean you need to panic, it means you need to take control of your open source usage and keep track of the open source components that you’re using.
Whether its EU-supported bug bounty hackers, or the hardworking open source community, popular open source components are getting a lot of attention and security research. Once security vulnerabilities are published, it’s up to us to take that knowledge and make sure that we address and remediate any vulnerable open source components in our products.
Want to catch up on earlier open source vulnerabilities in 2019? Check out our top open source vulnerabilities page to see if there are any that you might have missed.
See you next month when we pull together the top list for November. Until then, enjoy the pumpkin spice and track your open source components so that the really scary stuff stays out of your software.