Top 5 New Open Source Vulnerabilities of January 2018

Top 5 New Open Source Vulnerabilities for January 2018

According to our database, January brought in some new and nasty open source vulnerabilities. Which ones hit us the hardest?

It seems like it was just yesterday that we emerged from our New Year’s vacations and sat back at our desks, coffee in hand, ready to take on whatever January may bring. But January has come and gone, leaving us with some doozies of newly published open source vulnerabilities aggregated by our loyal friend, the Mend database.

Today, we’ll give you a rundown of the five most common new vulnerabilities in January. These are the known open source vulnerabilities published this month that our analysts found affected the most organizations this month.

Some of this month's vulnerabilities were found in open source components that have been ruling the ecosystem for many years, and others are newer kids on the block. Either way, we’re here to help you make sure that your open source components are updated and vulnerability-free.

#1 Electron

Vulnerability score: High — 9.6


Versions: 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier

The Electron security vulnerability gets the notorious first place in our January list and was featured in major headlines last week, thanks to the many popular apps created using this open source framework.

Electron is a very popular node.js, V8, and Chromium open source framework that enables developers to create native applications using web technologies like JavaScript, HTML and CSS. It’s well-known users include organizations like Microsoft, Facebook, Slack, Docker, and WordPress, to name a few. Popular applications Skype, GitHub’s Atom Editor, and the Signal messaging app are built using the Electron framework, putting a lot of folks justifiably on edge.  

The critical vulnerability that was discovered could allow hackers unauthorized access to your data, using the framework via a remote code execution flaw —  a vulnerability that allows an attacker to execute a malicious command on a targeted machine or in a targeted process, resulting in a complete takeover of the computer.

According to an announcement published by Electron on January 22, “Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable. Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API”.

Users of macOS and Linux, you may breath a sigh of relief: these operating systems are not vulnerable to the issue.

Luckily, Electron announced that they have already issued a patch, posting out that, “We've published new versions of Electron which include fixes for this vulnerability: 1.8.2-beta.4, 1.7.11, and 1.6.16”, and added that they “urge all Electron developers to update their apps to the latest stable version immediately.”

You can find more information about the fix in Electron’s blog.

#2 Linux Kernel netfilter: xt_TCPMSS

Vulnerability score: High — 10


Versions: Linux kernel before 4.11, and 4.9.x before 4.9.36

This component sits on the Linux kernel, helping to filter network communication by defining the maximum segment size allowed for accepting TCP headers. Similar to a dam, these controls are crucial to avoid flooding the valley.

If an attacker is able to exploit this vulnerability, they can send through a flood of communications, thus knocking the system off line in a denial of service attack. As this component sits on the kernel level, it is on the foundation of the system and can have wide ranging effects across the board, making this a critical vulnerability to be sure, justifying its CVSS score of 10 on the exploitation richter scale.

You can see the full list of vulnerable versions here.

Happily, the dedicated Linux kernel community members have already provided a fix, and detailed information about it can be found here.


#3 Jackson-databind

Vulnerability score: High — 7.5


Versions: through 2.8.10 and 2.9.x through 2.9.3

The ever-popular JSON parser for Java, this library is a go-to for Java-heads thanks to its ability to translate between the popular data exchange converter JSON and Java.

This deserialization vulnerability is considered highly risky, and reached a high 7.5 score on the vulnerability scale, because it could allow attackers to perform remote code execution by sending maliciously-crafted JSON input to the readValue method of ObjectMapper.

Unfortunately, this isn’t the first time a deserialization flaw has been found in this project. The issue exists because of an incomplete fix for CVE-2017-7525 and as well as CVE-2017-15095 — which was also featured in our findings this month. Some of our loyal readers might remember that the previous Jackson-databind vulnerability also scored high in our recent end-of-year post about the top security vulnerabilities in 2017.

The fix can be found on GitHub. Hopefully, the many eyeballs working on this active open source project will continue to be diligent in finding any additional issues. We’ll be sure to keep you posted.  

#4 AngularJS

Vulnerability score: Medium — 5.5


AngularJS is another extremely popular open source framework, originally created as a project at Google and still mainly maintained by them. It’s one of the most widely used front end development frameworks, used for working with NPM and JavaScript.

The AngularJS project is supported by a large and active open source community of over 1600 members, who have contributed a whopping 8,689 commits on GitHub to date.

Unfortunately, this is the first of two security vulnerabilities discovered in January. In this first AngularJS issue, JSONP could allow untrusted resource URLs. This is extremely risky because it provides hackers with an attack vector.

You can find the fix for this security issue on GitHub.

Reducing Enterprise Application Security Risks:

More Work Needs to Be Done

#5 AngularJS

Vulnerability score: Medium — 5.5


Once again this January, hardworking security folk found a vulnerability in our beloved AngularJS framework.

This time, researchers discovered that when rendering Angular templates with a server-side templating engine like ERB or Haml, cross-site scripting (XSS) vulnerabilities can be easily introduced. This could enable hackers to inject malicious client-side scripts into public web pages. In this case, the vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are {{ and }}).

You can read more details about  this issue on GitHub, along with details about the fix.

You may have noticed that neither of the AngularJS vulnerabilities we listed have the common “CVE” ID. This is because it is yet to been added to the NVD database, but has been published in one of the other security advisories scanned by the Mend database, earning it a respectable “WS” prefix on its ID.  

Open Source Security Takeaways

That’s all for this month folks. The main takeaway from this month’s open source vulnerability data is that the research and open source communities are working hard to ensure that we are in the know about the latest vulnerabilities in open source components. Once they’ve discovered, fixed, and published a vulnerability, the responsibility is ours to go out and patch.

Stay tuned for next month’s open source vulnerability highlights. Meanwhile, stay warm, don’t forget your software development hygiene, and make sure to update your open source components.


Meet The Author

Patricia Johnson

A technology and business leader with an experience in application development, infrastructure and security and with a strong focus on open source software. Patricia help companies to better manage their open source usage, so they can focus on building great products and maximize the benefits of open source.

Subscribe to Our Blog