It has been said that March comes in like a lion and goes out like a lamb. It’s still early to determine how accurately that applies to this month, but one thing is certain: February's list of top five open source security vulnerabilities reveals some gnarly and highly critical beasts.
Once again, our knowledge team sorted through all of the new issues added to WhiteSource’s database in February to choose the top five new open source vulnerabilities published in February that you should know about. The vulnerability database automatically aggregates open source vulnerabilities published in several respected community resources like the National Vulnerability Database (NVD), and other publicly available, peer-reviewed security advisories and issue trackers.
This list contains some highly critical issues found in some of the most popular open source components out there. Luckily, the open source community is doing a great job of discovering and fixing issues. Now it’s up to us to stay in the know and make sure that we aren’t using any vulnerable or outdated versions of open source components in our applications. To give you a bit of a head start, here is our list of the top five new open source security vulnerabilities in February.
Vulnerability Score: Critical — 9.8
Affected versions: Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1, and Android-9
Coming in at number one is this highly critical issue from an extremely popular open source project that you might have heard of.
A possible out-of-bounds write was found in bta_ag_parse_cmer of bta_ag_cmd.cc in Android, due to a missing bounds check. This could lead to a Remote Code Execution attack.
According to Android’s security bulletin, a hacker could exploit this newly discovered security vulnerability using a specially crafted file to execute arbitrary code within the context of a privileged process.
The vulnerability was found to be critical enough to receive the maximum CVSS v2 vulnerability score of 10, and a whopping 9.8 CVSS v3 score. According to the bulletin, the Android security team’s severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
Vulnerability Score: High — 8.6
Affected versions: through 1.0-rc6, as used in Docker before 18.09.2 and other products
Docker is a major solution in the trendy container ecosystem, so this is a big one. So big, that we mentioned it in a recent blog post about the top 5 Docker vulnerabilities.
A Remote Code Execution vulnerability was discovered in runC, the open source project behind the runtime capabilities of most container technologies. This is a result of a container breakout vulnerability that hackers can exploit by overwriting the host’s runC binary, and gain root access to a targeted host.
This security vulnerability rated a high criticality score with an 8.6 CVSS v3 and a 9.6 CVSS v2 rating.
This issue reminds us that as much as containers provide benefits agility and security-wise, they still require security management. This is just one example of how attacker-controlled images can be a very real threat.
Docker has already issued a fix in version 18.09.2, and recommends users upgrade to as soon as possible.
Vulnerability Score: Critical — 9.8
Affected versions: from 7.36.0 to before 7.64.0
A stack-based buffer overflow issue was discovered in vulnerable libcurl versions due to incorrect handling of certain NTLMv2 authentication messages. Attackers could exploit this security vulnerability to cause curl to crash, resulting in a denial of service conditions, or possibly execute arbitrary code.
curl’s security advisory, recommends users with vulnerable versions of curl address this issue immediately by either upgrading curl to version 7.64.0,, applying a patch to their version, or turning off NTLM authentication.
An extremely popular open source project, libcurl is a portable C-based multi-platform client-side URL transfer library for both open source and commercial users.
According to everything curl, the comprehensive free guide that promises to teach you everything you need to know about curl, libcurl is the engine that performs internet data transfers in thousands of tools, services, and applications that all of us are using. Considering this in the highly critical vulnerability rating, you should most probably check to see whether you are using a vulnerable version to get in front of this issue.
Vulnerability Score: Medium — 6.1
Affected versions: before 4.3.1
A Cross-Site Scripting vulnerability was found in all Bootstrap versions prior to 4.3.1 due to an issue the tooltip or popover data-template attribute.
Vulnerability Score: Medium — 5
Affected versions: prior to 2.3.1
Vulnerable versions of braces are open to Regular Expression Denial of Service (ReDoS). According to the npm security advisory, “untrusted input may cause catastrophic backtracking while matching regular expressions” causing the application to become unresponsive, and leading to Denial of Service.
In order to remediate the issue, users need to upgrade to version 2.3.1 or higher.
Braces is an open source project that offers faster brace expansion for node.js. The project also boasts being safe and accurate, in addition to providing complete support for Bash 4.3. braces specification.
You might have noticed that this vulnerability’s ID is prefixed by a WS rather than the classic CVE prefix. The reason for this is that it is yet to be added to the National Vulnerability Database (NVD). While the NVD is a comprehensive vulnerabilities database, many don’t know that only 86% of open source vulnerabilities are in the CVE database. Other open source vulnerabilities are published on a variety of resources. That’s the reason WhiteSource’s open source vulnerability database extends beyond NVD vulnerabilities, and continuously collects information from additional security sources.
You can read more about the vulnerability, and its fix on GitHub.
Whether it's Android, Docker, or libcurl, the open source projects in the list of top five open source vulnerabilities in February power a lot of the software and technologies that we all use on a daily basis.
This month’s list includes open source projects that are supported and maintained by industry giants, alongside popular open source projects loved and cared for by developers from the community. They all work hard to make sure any discovered security vulnerabilities are swiftly addressed. However, unlike commercial software, it’s up to us users to keep the open source libraries that we use updated and vulnerability-free.
This is where open source security management comes in. Integrating an automated tool into your DevSecOps pipeline can help your teams stay on top of any newly discovered open source vulnerabilities without sacrificing your software projects’ quality or speed.
Want to catch up on earlier 2018 open source vulnerabilities? Check out our top open source vulnerabilities page to see if there are any that you might have missed last year.