Top 5 New Open Source Security Vulnerabilities in December 2019

January 9, 2020 Patricia Johnson

For better or worse, the holiday season is behind us, and we settle back into our routines with a new set of resolutions for 2020. Whether you spent the last week getting over your New Year’s Eve hangovers or posting photos of your vacation, one thing’s for sure — our hardworking knowledge team has been reviewing our December open source vulnerabilities data to bring you the top five new open source security vulnerabilities in December. 

The WhiteSource database continuously collects information about the open source security vulnerabilities published across a wide range of community resources, including the popular National Vulnerability Database (NVD), as well as various peer-reviewed security advisories, and issue trackers. 

December’s list of top five new open source vulnerabilities includes projects that we all know and love, some of them are trendy new kids on the block and some old-time favorites. Either way, you are most probably using them, so take a minute to read through this latest list and make sure that you’re secure. 

#1 SQLite  

CVE-2019-19646

Vulnerability Score: Critical — 9.8

Affected versions: SQLite through 3.30.1

This first critical SQLite security vulnerability was found in pragma.c. According to the NVD, pragma.c in vulnerable versions of SQLite “mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.” NetApp warns in its security advisory about this, and additional critical SQLite vulnerabilities published this month, that they could lead to a number of different attacks like disclosure of sensitive information, addition or modification of data, or Denial of Service. 

SQLite, an old favorite in the open source community, is a C-language library that implements — you guessed it — an SQL database engine. According to their site, it’s the most widely deployed Database Engine in the world, used by all mobile devices, most computers, and countless applications, including Android, iPhones, and iOS devices, Mac and Windows 10 machines, every instance of Firefox, Chrome, and Safari, PHP and Python, most TV sets and set-top cable boxes, and most automotive multimedia systems, and in case all of the above aren’t enough, SQLite boasts that it is used by “countless millions of other applications”. 

Considering SQLite is most probably used by all of us all of the time, it’s important to mention that SQLite published quite a few new vulnerabilities this month. It’s also why a few of them, coined Magellan 2.0 vulnerabilities, grabbed some headlines when researchers found that they affect Google Chrome. 

Happily, the issues have been fixed and patched, so if you’re using SQLite or a product that is dependent on it (newsflash: you are), make sure to update your versions.

You can find out more about the vulnerability and its fix on GitHub, here, and here.  

#2 PHP

CVE-2019-11049

Vulnerability Score: Critical — 9.8

Affected versions: 7.3.x below 7.3.13 and 7.4.0 on Windows

Another critical open source security vulnerability published in December was found in vulnerable versions of PHP. According to the NVD description, due to a mistake introduced in a previous commit, certain instances where custom headers are supplied to the mail() function might lead to double-freeing certain memory locations.

PHP, that programming language that some developers just love to hate (you know who you are), is behind such popular products like Drupal, WordPress, and Moodle. The issue has already been fixed, so whether you’re a lover or a hater or just a fan of heated debates, there’s a high chance that you’re using a product that’s reliant on PHP. Make sure that you update to the secure version that the hard-working PHP team recently released.  

Read more about this security issue and its fix from the PHP bug tracker and on GitHub.

#3 TensorFlow

CVE-2019-16778

Vulnerability Score: Critical — 9.8

Affected versions: before 1.15

The TensorFlow crew published a heap-based buffer overflow security vulnerability that was found in the UnsortedSegmentSum function in vulnerable versions, resulting in access to out of bounds heap memory. While the NVD scored this security vulnerability as critical, according to the TensorFlow advisory, the chances that this issue is exploitable are extremely low, and it was detected and fixed internally in TensorFlow 1.15 and 2.0. Even so, the advisory recommends users to update to fixed versions 1.15, 2.0 or later, as these versions already have this fixed.

TensorFlow is the fastest growing deep learning framework and an open source darling. GitHub's Octoverse for 2019 recently featured it as one of its most popular projects to show how open source projects connect the larger software community, and reported that “46k dependent repositories now rely on TensorFlow, building on the project’s network of dependencies.” The high number shows us once again that a popular open source project, young or old, can have an impact on a large number of projects, not to mention their users. 

Considering how popular machine learning technologies have become, it’s best to make sure that if you are using TensorFlow or one of its dependents, you update to a secure version as soon as possible. 

You can learn more about this now-resolved TensorFlow issue here and here

#4 Handlebars

WS-2019-0332

Vulnerability Score: Medium — 5

Affected versions:  prior to 4.5.3

Once again, the Handlebars crew showed us that they are on top of their security issues. According to the npm security advisory, an Arbitrary Code Execution issue was found in vulnerable versions of Handlebars. 

The advisory explains that this issue is a result of an incomplete fix to WS-2019-0331 — another Handlebars issue published a few days earlier. The vulnerability could allow attackers to submit templates that execute arbitrary JavaScript in the system, and can be exploited to run arbitrary code in a server processing Handlebars templates or on a victim's browser.

The npm advisory recommends upgrading to version 4.5.3 or later.

Handlebars, an extension to the Mustache templating language, is a “logicless templating language that keeps the view and the code separated from one another” for an easier experience. 

Boasting over 6 million weekly downloads from npm, it’s an extremely popular open source project, and readers of our monthly Top 5 New Open Source Vulnerabilities post know that the project is supported and maintained by a hard-working community that can be counted on to swiftly report and remediate any issues that are found.  

The reason that this Handlebars issue’s ID number has a WS prefix rather than the more common CVE prefix is that the issue has not yet been added to the CVE database or to the NVD. It might surprise some of you that, while the NVD database is comprehensive and well-known, it actually doesn’t cover all of the known security vulnerabilities out there. Many issues discovered and reported in the open source community aren’t necessarily added to the CVE, at least not immediately. These are added to our WhiteSource database, which continuously aggregates data from a number of community resources, and gets an ID with a WS prefix. 

We saw a good example of this with another Handlebars issue published this December in the NVD CVE-2019-19919. This issue was included in our Top 5 New Open Source Vulnerabilities list for October under the ID WS-2019-0291, and was reported in the community two months before it was published as a CVE this past December.  

You can find more information about the Handlebars vulnerability here

#5 npm CLI

CVE-2019-16777

Vulnerability Score: Medium — 6.5

Affected versions: prior to 6.13.4

This is one of quite a few vulnerabilities discovered in the npm project this month. In this case, an arbitrary path access issue, which could lead to arbitrary file overwrite, was discovered in vulnerable versions of the npm CLI. 

According to the npm blog, while the fact that in order to exploit the vulnerability, hackers would need to ensure that victims install a package with a specially crafted bin entry might be seen as a mitigating factor, it’s not impossible and has actually been done before. 

The blog goes on to urge users to run npm install -g npm@6.13.4 as soon as possible in order to patch this security vulnerability. 

In the olden days when it launched, Node Package Manager (npm) was a game-changer for app development, enabling developers to build small reusable pieces of code and share them with the rest of the developer community.

While npm gives developers massive flexibility and makes developing applications incredibly simple, developers need to remember to keep security in mind. That means making sure that the version that they are using is up to date, and implementing npm best security practices.  

Read more about this security issue and its fix here

Resolution for 2020: Manage Your Open Source Security Vulnerabilities

December’s list of top 5 new open source security vulnerabilities reflects a few trends that we witnessed over the past few years. Open source is eating the world, and most of the software products that we rely on are built on the projects that the continuously growing open source community provides. This is why awareness of open source security vulnerabilities is also getting higher, resulting in the rise of known open source vulnerabilities that we’ve witnessed over the past two years.  

Whether it’s a language, a database engine, a huge open source project repository, or the framework for tomorrow’s top machine learning technologies, open source projects are in every industry, and part of our everyday lives. As the community’s awareness of security increases we must implement the tools and processes that will help us continue to keep up with them, so that we can use open source components to power our products and businesses without having to worry about open source security vulnerabilities

Want to catch up on earlier open source vulnerabilities in 2019? Check out our top open source vulnerabilities page to see if you missed anything. 

See you in 2020 when we pull together the top list for all of 2019, and see how 2020 starts shaping out with our review of January’s top open source security vulnerabilities. Until then, happy 2020, and don’t forget to track your open source components. 

No Previous Articles

Next Article
3 Steps Developers Should Take To Use npm Securely
3 Steps Developers Should Take To Use npm Securely