September is officially the start of autumn, and we are here to celebrate the end of summer with our list of top 5 new open source vulnerabilities in September. This past month’s Top 5 might surprise you, as it includes vulnerabilities that have actually been around for quite a while — but not on the NVD. Once again, the de-centeralized and collaborative nature of the hardworking open source community provides consistent and efficient security coverage, just as long as you know where to look.
Our hardworking research crew has reviewed all of the open source vulnerabilities published this September and put together a list of September’s Top 5 new known open source security vulnerabilities. The data is aggregated by WhiteSource’s comprehensive database, updated continuously from the National Vulnerability Database (NVD), as well as other publicly available, peer-reviewed security advisories and issue trackers.
Since not all reported open source vulnerabilities appear in the NVD, the WhiteSource database covers several other sources. That’s the reason this list includes vulnerabilities from the CVE index as well as vulnerabilities from the WS database, that haven’t been added to the CVE lists.
The list below tells you what you need to know about the top vulnerabilities to hit in September, you can use the WhiteSource Vulnerability Checker to see if they are in one of your projects.
Vulnerability Score: Medium — 5.3
Affected versions: version 2.2.2
This affected version of NodeJS tough-cookie contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing. This could be exploited by hackers for a Denial of Service attack, using a custom HTTP header passed by a client.
2.2.2 is a relatively old version, and the vulnerability has been around for a while in the WhiteSource database and multiple security advisories like npm's, or bug trackers like Red Hat’s Bugzilla, but it was only published on the NVD in September, and is still under an “awaiting analysis” status there.
Don’t let the age of this issue fool you. As vulnerabilities like Heartbleed and Shellshock taught us, vulnerabilities don’t have an expiration date. They are thereuntil we patch or update the vulnerable version.
This is another reminder that sometimes our most trusted open source components are in need of an update. Most often, these are readily available to users, if only they knew where to find them. That’s why using the right tools to check open source components continuously while tracking new open source vulnerabilities, ensures that projects are safe and up to date.
You can read more about the tough-cookie vulnerability, and its fix on GitHub.
Vulnerability Score: High — 7.1
Affected versions: before 3.6.0
Vulnerable versions of loopback-connector-mongodb — the MongoDB Connector for LoopBack, allow NoSQL injections, because of a filter sanitization issue.
LoopBack is one of the open source projects that IBM creates and maintains to provide the API developers’ community open source solutions. The LoopBack framework is a set of Node.js modules to be used independently or together to quickly build REST APIs.
Among many other features, LoopBack enables developers to access data from major relational databases, SOAP, and REST APIs. LoopBack’s MongoDB connector enables LoopBack applications to connect to data sources in the immensely popular MongoDB.
This vulnerability was added to the WhiteSource database from a security advisory other than the NVD, which is why the vulnerability ID for this issue is not the common CVE ID, rather it starts with WS.
Happily, LoopBack’s recent security advisory, reports that the issue has been resolved, and that a secure version has been released. If you are using the LoopBack MongoDB connector, make sure that you are using version 3.6.0 or later. You can find more information about the vulnerability on GitHub and the npm security advisory.
Vulnerability Score: Medium — 6.8
Affected versions: 2.9
An integer overflow issue was found in a function in this affected version of Little CMS. The security vulnerability could cause a heap-based buffer overflow, via a specifically crafted input file.
Little CMS or LCMS (short for Little Color Management System) is a free, open source, color management engine that provides fast transforms between ICC profiles. According to the community, this 20 year old project is one of the most popular open-source color management libraries, used by printer firmware, monitors, digital cameras, RIPs, publishing and scientific projects, to name a few.
Vulnerability Score: Medium — 5.5
Affected versions: libcurl 7.15.4 to and including 7.61.0
Multiple versions of libcurl, the curl library, contain a buffer overrun vulnerability in the NTLM authentication code. This could be exploited to execute arbitrary code on the target system, when a remoteuser sends a specially crafted NTLM authentication password to trigger a buffer overflow in the Curl_ntlm_core_mk_nt_hash() function in 'lib/curl_ntlm_core.c'.
According to curl’s security advisory, the issue can only occur on 32 bit systems, in cases where the password field requires using over 2GB of memory, which should be rare. That said, the advisory also warns that curl is used by many applications, but not always advertised as such”.
libcurl is a portable C-based multi-platform client-side URL transfer library, for both open source and commercial users, and is extremely popular among developers across industries and organizations.
Everything curl, the extensive free guide that will teach you, well, everything about curl, tells us that libcurl is the engine that performs internet data transfers in thousands of tools, services and applications that we are all most probably using. So, while the issue would only occur in a very specific scenario, it’s still highly recommended users check and make sure that they’re using a secure version.
Now for some good news: the folks at curl have already issued both an updated version and a patch. Learn more about the vulnerability and its fix on GitHub.
Vulnerability Score: Medium — 4.5
Affected versions: before 2.5.17
According to the issue page on GitHub, the vulnerability was found in a test in DOH, the Dojo’s testing utility, and since the test isn't used anymore and it doesn’t run automatically, the threat is minimal.
This is another issue that has yet to be added to the NVD, and is currently indexed in the WhiteSource database with a WS ID. Make sure you check your projects for vulnerable versions, and update to a safe version of Dojo.
In our recent annual report about the state of open source vulnerability management, we learned that while developers rate security as their number one concern when working with open source components, there are still no standard best practices across the development industry when it comes to dealing with open source vulnerabilities.
Our list of top 5 new open source vulnerabilities in September gives us some prime examples of why and how open source vulnerability management can be a challenge: new vulnerabilities are constantly published, often discovered in some of the most popular open source libraries out there, and just as often the data about the vulnerabilities and their fixes are not posted in one centralized location, making it impossible to manually manage keeping track of new vulnerabilities and checking our projects for them.
Once development teams adopt an automated open source management tool, the Wild West can become easier to handle. A tool that continuously tracks the open source components in our code and matches them up against a comprehensive database for open source vulnerabilities, can do the heavy open source security lifting for you, freeing up more time for developing the next big thing.
Want to catch up on earlier 2018 open source vulnerabilities? Visit our top open source vulnerabilities page.