Software // Enterprise Applications
News
1/22/2008
05:21 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Five Most Overlooked Open Source Vulnerabilities Found By Audits

Risk management company Palamida's list includes direct links to patches that will fix all five flaws, including ones identified in Geronimo 2.0 and JBoss.

After reviewing 300 million lines of code in 2007, Palamida, a vulnerability audit and software risk management company, says it's identified the five vulnerabilities most frequently overlooked by users in their open source code.

The five are listed in alphabetical order. Palamida did not attempt to assign a frequency ranking to the five, CEO Mark Tolliver said. Also, the Palamida list reflects known vulnerabilities that have been aired and fixed by their parent projects but are still encountered in the user base, such as businesses and government agencies. The projects named are not frequent offenders when it comes to security vulnerabilities, but their code is so widely used that unpatched vulnerabilities show up in Palamida's enterprise and nonprofit agency software scans. In all cases, a patch is available to fix the vulnerability.

Open source code is "not any more vulnerable than commercial software" and in some cases, less so, said Tolliver. Open source projects tend to acknowledge their vulnerabilities and fix them promptly, he added.

The company conducts audits on enterprise software, spotting uses of open source and identifying origins of code. It both sells products to conduct audits and offers audit services and risk management consulting.

Palamida's list of five frequently overlooked vulnerabilities is as follows:

  • Geronimo 2.0, the application server from the Apache Software Foundation, contains a vulnerability in its login module that allows remote attackers to bypass authentication requirements, deploy a substitute malware code module, and gain administrative access to the application server. The access is gained by "sending a blank user name and password with the command line deployer in [Geronimo's] deployment module," the Palamida report said. A blank user name and password should trigger a "FailedLoginException" response in Geronimo 2.0 but doesn't.

    A patch for the vulnerability exists at https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch.

    Geronimo competes with Red Hat's JBoss and other open source application servers.

  • The JBoss Application Server has a "directory traversal vulnerability in its DeploymentFileRepository class in releases 3.2.4 through 4.0.5. It allows remote authenticated users to read or modify arbitrary files and possibly execute arbitrary code," the Dec. 7 report concluded.

    A patch is available at http://jira.jboss.com/jira/browse/ASPATCH-126.

  • The third frequently encountered vulnerability on the list is the LibTiff open source library for reading and writing Tagged Image File Format, or TIFF, files. The LibTiff library before release 3.8.2 contains command-line tools for manipulating TIFF images on Linux and Unix systems and is found in several Linux distributions.

    Using the LibTiff library in a version before 3.8.2 allows "context-dependent attackers to pass numeric range checks and possibly execute code via large offset values in a TIFF directory," the Palamida report states. The large values may lead to an integer overflow or other unanticipated result and constitutes an "unchecked arithmetic operation," the report said.

    A patch is available at http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz.

  • The fourth vulnerability on the list is found in Net-SNMP, or the programs that deploy the SNMP protocol. It's found in version 1.0, version 2c and version 3.0. When certain versions of Net-SNMP are running in master agentx mode, the software allows "remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a freeing of an incorrect variable," the report said.

    A patch is available at http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.

  • The fifth overlooked vulnerability is found in Zlib, a software library used for data compression. Zlib 1.2 and later versions allow a remote attacker to cause a denial-of-service attack. The attack designs a compressed stream with an incomplete code description of a length greater than 1, causing a buffer overflow.

    The patch consists of upgrading zlib to version 1.2.3 at www.zlib.net/zlib-1.2.3.tar.gz.

    The fact that the vulnerabilities exist doesn't mean that anyone should stop using open source code. But users should adopt vulnerability patches or update to the latest, stable version of the code, said Theresa Bui, VP of marketing at Palamida. A complete description of the five vulnerabilities, along with their Common Vulnerability and Exposure number, can be found at Palamida's Dec. 7 Web site listing. The CVE is a project of the Mitre Corp. that gives vulnerabilities a shared definition and reference number across security vendors.

    Comment  | 
    Print  | 
    More Insights
  • Building A Mobile Business Mindset
    Building A Mobile Business Mindset
    Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
    Register for InformationWeek Newsletters
    White Papers
    Current Issue
    InformationWeek Tech Digest - August 27, 2014
    Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    InformationWeek Radio
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.