Top 5 Open Source Security Vulnerabilities in December
What are the top vulnerabilities to hit our favorite open source projects this December?
While all you hard working folks have hopefully been taking advantage of the jolly month of December for much-needed Christmas and New Years vacations and/or celebrations, our database has continued to aggregate open source projects and vulnerabilities.
Since publishing our Top 10 Vulnerabilities of 2017 list, we’ve received a ton of positive feedback, hearing from our readers that this is a useful resource for keeping up on the most current and pressing vulnerabilities in open source software. Not wanting to disappoint our fans, we’ve decided to make this a monthly thing, and will be bringing you a Top 5 Vulnerabilities list to help make staying on top of open source security just a little bit easier.
This month, some extremely popular and active open source projects were added to the Mend database. Chances are that your developers are using at least a few of them.
Our December Top 5 list is ordered according to how many organizations were affected by the vulnerability and were required to update their project. The list includes only vulnerabilities that were we have classified as Medium, High, or Critical, in the NVD and additional security advisories.
The Mend database continuously monitors and aggregates information from the commonly used National Vulnerability Database (NVD) as well as from a number of publicly available, peer-reviewed open source security advisories, so that we could present you with this list of up-to-date known open source vulnerabilities and their suggested fixes.
So, without further ado, brace yourselves for December’s top 5 vulnerable open source projects.
#1 CPython
Vulnerability score: Critical — 9.8
CPython is an extremely popular open source programming language used to build web applications, as well as having a large variety of other uses. Since its release nearly 30 years ago, it’s been developed and used by many in the open source community. The second most popular programming language on GitHub, we can see how widely used it is by its Github page, with over 100,000 commits.
The critical vulnerability that was found could be exploited to create a specially crafted Python source code file that, when loaded by the target user, will execute arbitrary code on the target system through a buffer overflow. This would allow unauthorized disclosure of information, unauthorized modification, or disruption of service. Basically wrecking all kinds of havoc.
The fix for this critical issue can be found on GitHub.
#2 Moment.js
Severity: high — 7.5
Are there any experienced JavaScript developers out there that haven’t had to wrestle with JavaScript’s Date object? Probably not.
Dates and times are used in practically every application. They might be needed to track the creation of an object using the time since an event occurred or to save the date of an event. JavaScript’s Date object can be hard to work with as it requires a developer to write many lines of code if they want to do complex parsing, validation, or displaying of dates.
This is where Moment.js comes in. Moment.js is a free and open source JavaScript library for dealing with dates and times that frees developers from having to use the native JavaScript Date object directly. Moment.js also offers a variety of plugins that enable additional features like time-zone support, recurrence, and Twitter integration.
GitHub data shows that Moment.js is supported by a large and active development community, consisting of 455 contributors and over 300 commits in the six years since it was originally released.
This component has a relatively good history with security. In the six years since it was initially released, aside from another Regular Expression Denial of Service (ReDoS) doozy in 2016, it’s been relatively safe.
Unfortunately, this month Moment.js got hit once again with another vulnerability that researchers say could leave users open to yet another ReDoS attack, thus warranting this project a 7.5 CVSS score.
You may have noticed that the vulnerability doesn’t have a standard CVE identifier. This is because the vulnerability isn’t in the National Vulnerability Database (NVD). Because the NVD is so large and well regarded, not many realize that it doesn’t contain all open source vulnerabilities, and some important ones — like this one in Moment.js — might be missing.
Sometimes, a vulnerability will be discovered by a research group and included in an advisory that is not included in the NVD’s database. This is why Mend’s database doesn’t limit itself to only NVD vulnerabilities, and collects data from additional security sources. The Moment.js vulnerability was added to the Mend database from scanning additional security advisories.
Researchers provided a fix through: a simple update to Moment.js version 2.19.3.
You can read more about the latest Moment.js vulnerability and its remediation here, and here on GitHub.
#3 Spring-LDAP versions 1.3.0 – 2.3.1
Severity: high — 8.1
When a widely used open source tool for retrieving and managing IDs and permissions in large directories is vulnerable — it gets a place in December’s top 5 monthly vulnerabilities list.
Spring LDAP is an open source library for LDAP programming in Java. It provides a wrapper framework around LDAP implementations that simplifies LDAP (Lightweight Directory Access Protocol) operations, relieving developers of common tasks like looking up and closing contexts, looping through results, encoding and decoding values and filters, and more.
The vulnerability that was discovered is a high severity sign-in authentication vulnerability that might allow users to enter the system with an arbitrary password if the username they entered is correct. If exploited by hackers, this vulnerability could be a nightmare for an organization and anyone whose personal information was stored on the breached server.
The fix is available on GitHub.
#4 Swagger-Parser
Severity: High — 8.8
The open source Swagger project reads OpenAPI Specifications into current Java POJOs (Plain Old Java Objects). It also provides a simple framework to add additional converters from different formats into the Swagger objects, making the entire toolchain available.
Swagger has an extremely active developers community, and is the largest framework of API developer tools for OpenAPI Specification (OAS). It enables development across the entire API lifecycle, from design and documentation, to test and deployment.
The popularity and scope of this library means that it’s used by many application development projects, and that a vulnerability has the potential of putting many products at risk of being exploited.
The vulnerability that was found can lead to arbitrary code being executed, which means it could allow unauthorized disclosure of information, unauthorized modification and disruption of service.
More information about the vulnerability and its fix can be found in GitHub.
#5 Spring Web Flow
severity: medium — 5.9
Another widely used project from the popular open source Spring Project, Spring Web Flow
facilitates building web applications that require guided navigation, or a “flow”.
Applications like a shopping cart, flight check-in, a loan application, or others that guide a user through a business task. In contrast to stateless, free-form navigation such use cases have a clear start and end point, one or more screens to go through in a specific order, and a set of changes that are not finalized to the end. A “flow” spans multiple HTTP requests, has state, deals with transactional data, is reusable, and may be dynamic and long-running in nature.
The vulnerability that was discovered could allow unauthorized modification. For applications that are accessed by a high number of users and provide a gateway to users’ or organizations’ sensitive data, this could be extremely risky.
The Spring Web Flow project provides a fix to the issue on GitHub.
New Year – New Vulnerabilities
All five of these vulnerabilities are in commonly used open source components, and are likely to affect more than a few organizations. As we kick off 2018, we hope that you will use this list to locate any risky components in your system and kick off a secure 2018. Next month we’ll bring you new updates, chock full of the most pressing vulnerabilities, keeping you up to speed on everything you need to know to keep your software safe.
