August provided us with an excellent example of history repeating, in the form of a newly disclosed security vulnerability in Apache Struts 2, otherwise known as CVE-2018-11776. This vulnerability was published nearly a year after Equifax’s September 2017 announcement that they had suffered a record-breaking data breach due to a previously known Struts 2 vulnerability.
As many in the industry have been looking back and questioning whether organizations learned anything about open source security management from the notorious Equifax fiasco, the latest Struts 2 vulnerability got its share of headlines. However, while that vulnerability should certainly be taken seriously, tens of other new open source security issues were published this August, and they deserve just as much attention.
Our tenacious research team has gone over the data and put together a list of the top 5 new known open source security vulnerabilities published in August. The data is aggregated by the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), as well as several additional publicly available, peer-reviewed security advisories and issue trackers.
While many security vulnerabilities are listed in the NVD, too few of us know that only 86% of reported open source vulnerabilities appear in the NVD. That’s why the WhiteSource database covers multiple sources besides the database, and it’s the reason this list includes both vulnerabilities from the CVE index and from the WS database, that have yet to be added to the CVE lists.
To add to the headline-winning Struts 2 vulnerability, August’s top 5 list of vulnerable open source components has some OG favorites everyone is most probably using, and other newer open source tools and frameworks to help the kids with all their new web applications. Either way, take care of your Struts but don’t forget the rest of your projects.
Review the list and then make sure to review your open source usage so that all of your open source components are on point and hard to exploitable.
Vulnerability Score: High — 8
Affected versions: before 1.4.3
Vulnerable versions of this URL string parsing solution return an incorrect hostname, an issue that leads to multiple flaws such like SSRF (Server Side Request Forgery), Open Redirect, or Bypass Authentication Protocol, leaving users open to exploit.
#2 Zend Framework
Vulnerability Score: High — 8
Affected versions: zend-diactoros: before version 1.8.4, zend-http: before version 2.8.1, and zend-feed before version 2.10.3.
A URL Rewrite issue was discovered in several projects in the Zend Framework — a collection of professional PHP packages. The vulnerability could allow a malicious client or proxy to emulate the headers in order to request arbitrary content.
According to the Zend Framework security advisory, zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component).
Zend Framework is a popular project for developing web applications and services using PHP 5.6+, and provides 100% object-oriented code using a broad spectrum of language features to the nearly 300 million developers who have already installed it.
According to the advisory, it was the Drupal Security Team that found the issues and worked with the Zend Framework team to help resolve them. This shows us once again the security experts working on open source projects are a dedicated and cooperative bunch, that work hard to make sure users are safe,
This vulnerability was added to the WhiteSource database from a security advisory other than the NVD database, which is why the vulnerability ID for this issue is not the common CVE ID, rather it starts with WS.
You can find more information about this security vulnerability and its fix here.
Vulnerability Score: High — 8
Affected versions: before 5.6.30
In other PHP framework related news, a cookie serialization vulnerability in PHP web application framework Laravel could allow PHP object serialization exploits like calling arbitrary class methods within an application.
According to the good folks at Laravel’s upgrade guide, this risk is prevalent only in cases where the application encryption key is accessed by a malicious user, who could use it to craft cookie values and exploit vulnerabilities inherent to PHP object serialization.
According to its documentation, the Laravel project prides itself on making common developmental tasks easier with accessible and powerful tools for robust applications.
This is another vulnerability that is not yet listed in the popular NVD database, but was aggregated from other community sources to the WhiteSource database.
Learn more about the vulnerability and its fix on GitHub.
#4 Linux Kernel
Vulnerability Score: Medium — 5.3
Affected versions: before 4.18.1
August hasn’t been an easy month for the hardworking Linux kernel community.
Vulnerable versions of arch/x86/kernel/paravirt.c in the Linux kernel mishandle certain indirect calls. This local security bypass issue could allow hackers to conduct Spectre-v2 attacks against paravirtual guests.
Other Linux kernel issues published this month are CVE-2018-10938, which might allow a remote user to send specially crafted data to trigger an infinite loop in the kernel, leading to a denial of service. This vulnerability was found in Linux kernel present since v4.0-rc1 and through v4.13-rc4. You can learn more about the vulnerability and how to fix it here.
But that’s not all. Introducing CVE-2018-15572: another issue that could allow a spectre_v2 attack, due to a flaw in the spectre_v2_select_mitigation function in Linux kernel versions before 4.18.1. More information on that doozy can be found here.
In addition, a couple of kernel vulnerabilities managed to make headlines. Red Hat warns of two denial of service vulnerabilities in the Linux Kernel: “SegmentSmack” an issue where TCP segments with random offsets allow a DOS exploit and “FragmentSmack”, named after the IP fragments with random offsets that could allow also allow a DOS attack.
This pile-up once again shows us that while it’s always good to stay on top of security research news, that’s not enough if you want to ensure that you’re managing all of the open source security issues in your code.
Vulnerability Score: Medium — 6
Affected versions: before 2.5.17
Rounding up our top 5 open source security vulnerabilities list for August is yet another web application security issue, that is currently not included in the NVD.
Learn more about the Vue vulnerability on GitHub.
Stay One Step Ahead of the Open Source Vulnerabilities
It’s been another busy month for the open source community. Collaboration helped uncover and fix quite a few new open source security vulnerabilities, and now it’s up to us to leverage all that hard work to ensure we know which open source components we are using, and that they are vulnerability free.
While the wild west of open source security vulnerabilities can sometimes seem hard to follow, with what seems like an army of security researchers constantly documenting their wins on multiple advisories, issue trackers and databases, it’s actually an easy job for an automated tool that can continuously track the open source components in our code and match them up against a comprehensive database that simply follows everything.
Want to catch up on earlier 2018 open source vulnerabilities? Visit our top open source vulnerabilities page.