The swelltering month of August is finally here, leaving many an open-space half-empty as many of our lucky comerades take time off for much-needed R&R. As for us, we consider ourselves lucky to have the opportunity to blast the aircon as high as we want, while trusting our hardworking Knowledge Group to deliver the hottest news on July’s new open source security vulnerabilities.
Needless to say, they have once again delivered, bringing us the top 5 new open source security vulnerabilities in July from over 100 new open source vulnerabilities that were discovered and added to our hardworking database this past month. The Mend vulnerability database continuously aggregates known open source security vulnerabilities from multiple resources like the National Vulnerability Database (NVD), as well as other well-respected public, peer-reviewed security advisories and issue trackers so that we can collect the most comprehensive data about any new open source security vulnerabilities published.
July’s top 5 includes some extremely popular projects which are supported by an active and often passionate community. So without further ado, here are the top 5 new open source vulnerabilities published in July.
Vulnerability Score: High — 7.5
Affected versions: Docker CE and EE before 18.09.8, Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10
An information disclosure issue was discovered in vulnerable versions of Docker CE and EE, which could enable an attacker to gain access to sensitive information that might help to carry out additional attacks.
Security researchers found that Docker Engine in debug mode adds secrets to the debug log when docker stack deploy is run to redeploy a stack that includes (non-external) secrets. This could also put other API users of the stack API at risk if they resend the secret.
Docker is a major solution in the continuously-trending container ecosystem, so this is a big one. While organizations are embracing Docker to leverage the speed and agility it enables, it’s easy to overlook the security challenges that container usage presents. If you too are part of the ever-growing merry clan of Docker users, make sure you are using a secure version, and make it a habit to check and update your Docker.
Vulnerability Score: High — 7.2
Affected versions: 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4
Both of these newly discovered buffer overflow security issues were found in the Redis hyperloglog data structure, as it was found to fail to perform adequate boundary checks on user-supplied data.
In CVE-2019-10192, an attacker could exploit the vulnerability to trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer. Then in CVE-2019-10193, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
Recently voted most loved database for the third consecutive year on the 2019 Stack Overflow developers’ survey, Redis is one of the most popular open source in-memory data structure stores out there. Considering its popularity among a large and diverse community that includes Twitter, Pinterest, and GitHub just to name a few, Redis users should make it a priority to update to a secure version.
You can learn more about these recent Redis security issues and their fixes here.
Vulnerability Score: High — 7.5
A new memory corruption vulnerability was discovered in Microsoft’s Chakra scripting engine. According to the Microsoft security advisory, a remote code execution vulnerability was found in the way that the Chakra scripting engine handled objects in memory in Microsoft Edge.
The advisory warns that an attacker could exploit the vulnerability to execute arbitrary code in the context of the current user to gain their user rights, and even take control of an affected system if the current user is logged on with administrative user rights. This could allow the malicious user to install programs, view, change, or delete data, or create new accounts with full user rights.
Another scary scenario that the advisory outlines is that in the case of a web-based attack, a hacker could host a specially crafted website to exploit the vulnerability through Microsoft Edge, or take advantage of compromised websites and websites that accept or host user-provided content or advertisements containing specially crafted content that could exploit the vulnerability.
Luckily, Microsoft is doing a great job swiftly publishing the fixes.
Vulnerability Score: High — 7.3
Affected versions: Python 2.7.11 / 3.6.6
A null pointer dereference vulnerability was discovered in Python.org’s X509 certificate parser that could cause a denial of service to applications when parsing specially crafted certificates. According to Python’s security documentation, this could allow malicious users to initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
While Red Hat’s security advisory gave this vulnerability a relatively high criticality score, Python’s Christian Heimes who patched the vulnerability that Cisco Talos Intelligence Security discovered, claims that the issue isn’t as critical or easy to exploit as seemed initially. Heimes asserts that users that have cert validation enabled and only trust public root CAs from CA/B forum aren’t affected. Nonetheless, the good folks at Python were quick to fix the issue in these releases.
Python is an old favorite. Released nearly 30 years ago, it’s gotten a lot of love from the open source development community, boasting third place in GitHub’s top 10 languages. If you are among one of Python’s many enthusiastic users, it’s best that you check which version you’re working with and update if necessary.
It’s also worth mentioning that while this issue has already been assigned a CVE ID, it has not yet been added to the NVD database. As is the case with many known open source security vulnerabilities, the information can be found on other public community platforms. You can read more about this Python issue and its fix here.
Vulnerability Score: Medium — 5
Affected versions: before 2.0.0-rc.12
Luckily, an updated version has been released, and the npm advisory recommends to upgrade to version 2.0.0-rc.12 or later.
BootstrapVue helps developers build responsive, mobile-first projects on the web using Vue.js and the widely popular front-end CSS library — Bootstrap v4. According to their documentation on GitHub, BootstrapVue provides one of the most comprehensive implementations of the Bootstrap v4.3 component and grid system for Vue.js, and offers over 40 available plugins and more than 80 custom components.
This is another open source vulnerability that can’t be found in the NVD, and was published in an open source community advisory, which is why the issues ID has a WS prefix rather than the more familiar CVE. This is yet another reminder that using open source components requires us to stay on top of the community’s various security advisories and bug trackers if we want to stay ahead of the hackers. BootstrapVue is supported by a large and active community, so while users can rest assured that any issues discovered are swiftly addressed, it’s important to track any newly published vulnerabilities and version updates.
You can read more about the issue and its fix on GitHub.
The list of top 5 open source vulnerabilities in July were discovered in a diverse collection of projects that help support and accelerate software innovation across the developement industry. This is another reminder that the olden-days question of whether or not to use open source has been replaced with the question of how to best manage open source usage and security.
All of the open source projects that found their way into July’s list of top 5 new open source security vulnerabilities are powered and supported by an active and enthusiastic bunch that do their best to ensure that any security issues are found and fixed quickly. The rest of the journey to a secure version is left to the projects’ large user community that needs to continuously stay on top of their open source components, versioning, and required security updates.
Managing open source security might seem like an endless task, considering the volume of open source vulnerabilities published every month, the speed required to remediate since the information is easily accessible to hackers in addition to users, and the decentralized nature of knowledge sharing in the open source community. However, once you integrate automated tracking tools into your DevSecOps pipeline, it’s easy to manage open source issues since your tools can do all that heavy lifting for you, allowing developers to use the open source components that they depend on without compromising on security, quality, or speed.
Want to catch up on open source vulnerabilities which could have slipped by in 2019? Check out our blog to see if there are any that you might have missed last year.
See you next month when we pull together the top list for August. In the meantime, pour yourself a cold ice tea, stick an umbrella in it, and get down to patching your software.