It’s that time of the year again.
It’s the middle of the holiday season and now is the time to reflect on our experiences over the past year in the ever exciting world of open source. If it was vulnerabilities Grinches trying to find new ways into our web applications or the rise of awesome open source projects, 2018 was one crazy year for open source.
This past year we saw software giants like Microsoft (acquiring GitHub) and IBM (acquiring RedHat) helping to cement the role of open source in the future of software and business. New vulnerabilities showed that we are far from secure when it comes to how we are using open source components in our software. The past year has had its ups and downs, but at least there wasn’t a repeat of Equifax.
In the spirit of the holidays, we are shedding lights on the 5 most severe open source vulnerabilities of 2018 and the 5 cool open source projects you should know about.
Electron ( Vulnerability score: High — 9.6)
In 2018 it didn’t take long to receive our first severe open source vulnerability of the new year. In early January, the Electron security vulnerability was announced and boy did it send lots of folks scrambling to see if they were using it.
The vulnerability allowed hackers unauthorized access to your data, using the framework via a remote code execution flaw — a vulnerability that allows an attacker to execute a malicious command on a targeted machine or process, resulting in a complete takeover of the computer.
You can find more information about the fix in the Electron’s blog.
Jenkins ( Vulnerability Score: High — 7)
In early February right before Valentine’s Day, we had our hearts broken with the announcement of a new vulnerability inside our beloved open source Jenkins CI/CD server.
Jenkins is a web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results, and even automate the process of deploying new code to production servers.
The vulnerability announced by Jenkins allowed any anonymous user to act as an administrative which were intended for admins. The non-admins would receive alerts about the state of the system using Jenkins. The major issue is that these warnings consistently were not protected by permission checks, thus allowing non-admins a free hand to act on them.
You can find more information about the fix in the Jenkins security advisory.
Drupal ( Vulnerability Score: High — 7.3)
In late April, the popular, free open source content management platform Drupal announced a critical vulnerability which is now known as Drupalgeddon 2.0.
This severe vulnerability potentially allowed remote attackers to execute arbitrary code by creating an issue affecting multiple subsystems with default or common module configurations. This could allow attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Imagine someone being able to get on and change the content on your company’s website. Not an ideal situation to be in.
You can find more information about the fix in Drupal’s security advisory.
Apache Ant ( Vulnerability Score: High — 8.5)
In June, the Java-based build tool Apache Ant was hit with an archive extraction vulnerability. Apache Ant is a Java library and command-line tool whose mission is to drive processes described in build files as targets and extension points dependent upon each other.
These affected versions of Apache Ant were vulnerable to a path traversal issue in archive extraction. This vulnerability could help attackers by using a specially crafted archive that holds directory traversal filenames to execute arbitrary code.
You can find more information about this vulnerability and its fix here.
Event-Stream ( Vulnerability Score: Critical — 10.0)
In late November, npm’s security team was notified of a malicious package that had made its way into event-stream, a popular npm package.
The vulnerability resides in versions of the event-stream npm package, but the malicious code specifically targeted Copay, a Bitcoin wallet platform for desktop and mobile devices that itself is an open source project.
The injected code targets the Copay application. When a developer at Copay runs one of their release build scripts, the resulting code is modified before being bundled into the application. The code was designed to harvest account details and private keys from accounts having a balance of more than 100 Bitcoin or 1000 Bitcoin Cash.
We should mention that this was not a classical open source component exploitation since the hackers took control of the event-stream project by asking for commit rights from the project’s creator. Many commentators considered this to be a social engineering attack in not more than a technical one, but it was special in that it highlighted the concerns in the community over supply chain attacks. It should be noted however that the community was quick to flag and address this issue, eliminating the threat with their quick response.
You can read more about the vulnerability and the backlash it created on GitHub here.
Now for the good news. Like it does every year, 2018 was a great year for open source projects. Here are a few that caught our eye for their contributions to developers everywhere and trending at the top of GitHub.
TensorFlow is an open source library for numerical computation using data-flow graphs. Developed by the Google Brain Team within Google's Machine Intelligence research organization for machine learning and deep neural networks research, the system is general enough to be applicable in a wide variety of other domains as well.
It runs on nearly everything: GPUs and CPUs—including mobile and embedded platforms—and even tensor processing units.
Styled-components enables you to style your components with CSS code and removes the mapping between components and styles. Styled-components started to rise in popularity in 2017, however, in 2018 we started to see major companies like Airbnb, Bloomberg, and Atlassian start to implement it in their built.
Styled-components is compatible with both React (for web) and React Native – meaning it's the perfect choice even for truly universal apps.
Hyper is an open source framework for creating cross-platform desktop applications using HTML and JS.
If the current trends continue, then we expect to see even more widespread usage and adoption of open source in 2019. One trend that we think will pick up significantly will be the amount of corporate contribution to open source projects by leaders in the industry.
By contributing to the open source community, companies can pull more developers into their ecosystem while gaining more excellent minds working on their code. As for developers working on open source projects, they get to flex some brain muscles on code outside of what they work on in their everyday tasks and perfect the code they are using.
There is also the beginnings of a shift in the enterprise community that if they want to use open source components to their benefit, they will have to put more of their own efforts behind supporting it if they want to improve the quality and security for themselves and others. Like a forest, enterprises will have to nurture open source if they want to see it succeed and grow across the software landscape.