The five are listed in alphabetical order. Palamida did not attempt to assign a frequency ranking to the five, CEO Mark Tolliver said. Also, the Palamida list reflects known vulnerabilities that have been aired and fixed by their parent projects but are still encountered in the user base, such as businesses and government agencies. The projects named are not frequent offenders when it comes to security vulnerabilities, but their code is so widely used that unpatched vulnerabilities show up in Palamida's enterprise and nonprofit agency software scans. In all cases, a patch is available to fix the vulnerability.
Open source code is "not any more vulnerable than commercial software" and in some cases, less so, said Tolliver. Open source projects tend to acknowledge their vulnerabilities and fix them promptly, he added.
The company conducts audits on enterprise software, spotting uses of open source and identifying origins of code. It both sells products to conduct audits and offers audit services and risk management consulting.
Palamida's list of five frequently overlooked vulnerabilities is as follows:
A patch for the vulnerability exists at https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch.
Geronimo competes with Red Hat's JBoss and other open source application servers.
A patch is available at http://jira.jboss.com/jira/browse/ASPATCH-126.
Using the LibTiff library in a version before 3.8.2 allows "context-dependent attackers to pass numeric range checks and possibly execute code via large offset values in a TIFF directory," the Palamida report states. The large values may lead to an integer overflow or other unanticipated result and constitutes an "unchecked arithmetic operation," the report said.
A patch is available at http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz.
A patch is available at http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.
The patch consists of upgrading zlib to version 1.2.3 at www.zlib.net/zlib-1.2.3.tar.gz.
The fact that the vulnerabilities exist doesn't mean that anyone should stop using open source code. But users should adopt vulnerability patches or update to the latest, stable version of the code, said Theresa Bui, VP of marketing at Palamida. A complete description of the five vulnerabilities, along with their Common Vulnerability and Exposure number, can be found at Palamida's Dec. 7 Web site listing. The CVE is a project of the Mitre Corp. that gives vulnerabilities a shared definition and reference number across security vendors.