Top 5 New Open Source Vulnerabilities in June 2018

July 5, 2018 Patricia Johnson

Independence day weekend is upon us, and hopefully most of us are in the summer holiday mode: the sound of fireworks still ringing in our ears, hangovers ebbing and flowing, and tans stronger every day. As the U.S enjoys a well-deserved weekend off, celebrating independence, we continue to celebrate the independent and innovative spirit of the open source community. Who knew 20 years ago that open source components would become the building blocks of most software products?

In order to ensure that organizations can continue to harness the power of open source, our database continues to aggregate data about open source vulnerabilities and their fixes, so that you can ensure that the open source components that you are using are secure.

This is our list of June’s top 5 new known open source security vulnerabilities, collected by the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), as well as multiple publicly available, peer-reviewed security advisories and issue trackers.

June’s top 5 list of vulnerable open source components has some old favorites that many of us are probably using. Some of them were published in the NVD, but three out of the five were made public in other security advisories that many developers are probably less familiar with.

 

#1 Apache Ant

WS-2018-0126

Vulnerability Score: High — 8.5

Affected versions: prior to version 1.9.12

Apache Ant, the Java based build tool from one of the OGs of the free and open source community, was hit with an archive extraction vulnerability: an archive extraction issue that was disclosed this month and affects quite a few projects.

In the case of Ant, affected versions are vulnerable to a path traversal issue in archive extraction. This vulnerability could be exploited by an attacker using a specially crafted archive that holds directory traversal filenames to execute arbitrary code.

As you can see, the ID for this issue is not the common CVE ID, but a WhiteSource (WS) vulnerability ID. The reason for this is that this critical vulnerability isn’t in the NVD database. While the NVD is comprehensive and widely well regarded, it actually doesn’t cover all open source vulnerabilities. Some vulnerabilities are recorded and tracked on different databases and advisories, that WhiteSource tracks continuously to keep our customers covered.

This Apache Ant vulnerability (WS-2018-0126) is one example. It was discovered and published in an advisory that is not included in the NVD’s database. This is why WhiteSource’s open source vulnerability database extends beyond NVD vulnerabilities, and automatically aggregates data from multiple sources in the security and open source communities.

You can find more information about this vulnerability and its fix here.

 

#2 SharpZipLib

WS-2018-0142

Vulnerability Score: High — 8.5

Affected versions: prior to commit 79503293a

Zip much? Another open source project affected by the archive extraction vulnerability disclosed this month is SharpZipLib, a Zip, GZip, Tar and BZip2 library written entirely in C# for the .NET platform, so that users can easily incorporate it into any .NET language project.  

Much like the security issue found in Ant, a file overwrite vulnerability was discovered in affected versions of SharpZipLib, that could result in a remote code execution/ file overwrite attack.  

Happily, the good folks at SharpZipLib have addressed the issue and updated the project.

Read more about the fix here.

 

#3  jackson-core

WS-2018-0125

Vulnerability Score: Medium — 5.5

Affected versions:  before version 2.7.6.

This month, the hardworking folks of the jackson-core project discovered that the library is vulnerable to an ‘OutOfMemory’ error, when writing BigDecimal while WRITE_BIGDECIMAL_AS_PLAIN setting is enabled. Attackers could exploit this issue to execute a denial of service attack.

The much beloved Jackson project is an old favorite on our monthly top 5 list, due to its huge popularity and the active community that continuously checks and updates the libraries.  

If you want to learn more about this vulnerability, you can read about it here.

 

#4 net/socket.c in the Linux kernel

CVE-2018-12232

Vulnerability Score: Medium — 5.5

Affected versions: through 4.17.1

A few weeks ago we shared our list of the top 5 vulnerable Linux projects to hit us in 2018 so far, and here we have another indication of how active the Linux kernel community is in addressing issues when they arise.

In this case, a NULL pointer dereference issue was discovered in the Linux kernel net/socket.c file. The vulnerability could be exploited by attackers to cause a system crash and a denial of service.

You can find more information about the vulnerability and its remediation here, and here.  

 

#5  Sprockets

CVE-2018-3760

Vulnerability Score: Medium — 5.5

Affected versions: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower.

There is an information leak vulnerability in Sprockets, a Ruby library for compiling and serving web assets.

The newly discovered security vulnerability could allow specially crafted requests to be used to access files on the filesystem that is outside an application's root directory, if the Sprockets server is used in production.

The Sprocket community has issued a fix, and advises all users running an affected release to either upgrade or use one of the work arounds immediately. The advisory also strongly recommends users avoid using the Sprockets server in production.  

You can find more information about this vulnerability and its fix on gitHub, and also in the Ruby security advisory.

 

Open Source Security: Automation is Key

There you have it folks, June’s top 5 open source security vulnerabilities. As you can see, security issues kept many in the open source community on their toes this month, and its best to follow their lead.

The open source projects that were hit this month are from some of the most active open source communities out there, and many of us are probably using their components andnd yet, some of them have not yet been included in the NVD that so many rely on.

The open source folk are a dedicated bunch, and also independent and decentralized. While the pace of development and security research throughout the open source community means new vulnerabilities and their fixes are published continuously, the information is not published in one central location.

If you want to ensure that all your open source security bases are covered, it’s risky to rely on just one public database, even when it’s the NVD, and impossible to manually track all databases and advisories. This is where an automated tool for managing open source security in organizations, that tracks open source usage throughout the devops cycle and matches them against a continuously updated open source database can save you a lot of time, money, and heartache, and will allow you to focus on the important things, like summer holidays.

Want to catch up on earlier 2018 open source vulnerabilities? Visit our monthly top vulnerabilities page.

 
Previous Article
3 Essential Steps for Your Vulnerability Remediation Process
3 Essential Steps for Your Vulnerability Remediation Process

Next Article
How To Secure Your SDLC The Right Way
How To Secure Your SDLC The Right Way