If you’re running an Apache Struts 2 server and haven’t patched for CVE-2017-5638, stop reading right now and do so . Researchers are reporting that exploits of the vulnerability are trivial to carry out, highly reliable and require no authentication. While NIST has only had a placeholder for the Apache Struts 2 vulnerability, Black Duck has been reporting on it to customers who use this component. Our reporting started onMonday the 6th (the same day the patch was released), through our Enhanced Vulnerability Data (EVD) insight embedded into theBlack Duck Hub, whichprovides much deeper analysis than the NVD alone.
Although CVE-2017-5638 is leading the news cycle, there are now 380 other CVEs listed in the National Vulnerability Database for the month of March. In this week’s open source and cybersecurity news:
Mike Pittenger, Black Duck’s vice president of security strategy, provides insight on the Apache Struts 2 vulnerabilityand the WordPress SQL Injection Bug. The Forrester Wave Report on software composition analysis highlights the clear prominence of open source as well as the need for open source vulnerability management. Legal experts examine the benefits and risks of open source use.
A new pairing of Microsoft and Black Duck technology can help developers spot open source code with licensing and security risks. How a three-pronged approach to application security is more effective than SAST or DAST alone. And the story behind Google’s emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.
Critical Vulnerability under “Massive” Attack Imperils High-impact Sitesvia Ars Technica : In a string of attacks that continue to escalate, hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies.
The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday , it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.
Black Duck Commentary on Critical Apache Struts 2 Vulnerability
“Obviously, zero day vulnerabilities are a problem, writes Mike Pittenger , “in particular when an exploit is publicly available as in this case. By definition, no patch exists for zero day vulnerabilities, and the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble. A vulnerability in a component as popular as Struts creates a very target-rich environment for attackers withexploits already reportedto be in the wild.”
“Fortunately, the community was quick to create, test, and release a patch. Unfortunately, it is likelythat this vulnerability will cause problems for years to come.Black Duck’s 2016 on-demand audit report showed the average age of vulnerabilities in open source used in commercial applications was over five years old, and over 10% still were vulnerable to Heartbleed.”
Microsoft Integrates Black Duck Open Source Tools with Visual StudioIs someone sneaking open-source code as their work into your Visual Studio project? Does some of the open-source code you're already using have known bugs in it? This new pairing of Microsoft and Black Duck technology can help with both problems reports ZDNet .
Advocating a Three-pronged Approach to Managing Application Security RiskToday, more than 80% of cyberattacks target software applications , writes Black Duck’s Patrick Carey in TechCentral.ie. Unsurprisingly, there is an array of application security tools to help companies address security risks, varying in both approach and coverage. For example, traditional application security tools Dynamic Analysis Security Testing (DAST) and Static Analysis Security Testing (SAST) are effective in finding bugs in the application code internal developers write. However, they are not as effective in identifying open source software vulnerabilities. Most open source vulnerabilities are reported by security researchers and not found by DAST and SAST application security tools.
Google Leads ‘Guerilla Patching’ of Big Vulnerability in Open Source Projectsvia NakedSecurity : Google has revealed its emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.
Referred to as “Mad Gadget” by Google (aka the Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420 ), the flaw was first highlighted by FoxGlove Security in November of that year, months after the first proof-of-concept code garnered almost zero attention.
Forrester Wave Report Highlights The Clear Prominence Of Open Sourcevia BusinessSolutions : The security industry is recognizing the importance open source has within enterprise applications and ultimately security, according to Forrester research . The Forrester Wave: Software Composition Analysis, Q1 2017 focused on Software Composition Analysis (SCA) and found developers use open source components as their foundation and highlights how security pros are turning to SCA tools to reduce risks.
WordPress SQL Injection Bug in NextGen Gallery “The issue her