Top Ten Open Source Security Vulnerabilities in 2019
Table of Contents
2019 is finally behind us, and we are all already speeding through 2020, full of promise and new resolutions. While there are many things we would all rather leave in the past, the issue of open source security vulnerabilities is still as relevant as ever.
To keep you all in the know, our hard-working Knowledge Team took a deep dive into the Mend open source vulnerabilities database to give you their top ten new open source security vulnerabilities in 2019. Our database currently includes nearly 3.5 million vulnerable files and packages aggregated from dozens of sources including the NVD, security advisories, and open source project issue trackers, to ensure the most comprehensive open source vulnerabilities coverage possible.
This year’s top ten list of new known open source security vulnerabilities includes issues in projects written in popular languages like JavaScript, Java, Go, C, and Ruby. The vulnerable projects include everything from container orchestration to operating systems, from web server environments for Java to Ruby hosting services, and the list goes on.
Some of the vulnerabilities in our list of top new open source vulnerabilities in 2019 have an id that begins with WS, as opposed to the more familiar CVE prefix. That’s because while the NVD is a large and well-known vulnerabilities database that covers and expands on CVE entries, it doesn’t include open source vulnerabilities published outside of the CVE database. Because of the collaborative and non-centralized nature of the open source community, some open source vulnerabilities are published outside of the CVE, on open source projects’ issue trackers or advisories. The Mend database collects data from multiple resources in addition to the NVD, so that when an open source vulnerability is published in a resource other than the NVD and doesn’t have a CVE index, it gets a Mend index number with a WS prefix, rather than a CVE prefix.
Now let’s get down to business. Whether it’s a WS or CVE vulnerability, here is a list of the top ten new open source security vulnerabilities published in 2019.
#1 Lodash
Vulnerability Score: Critical — 9.8
Affected Versions: before 4.17.11
Previously known as WS-2018-0210, this issue is a new CVE that has been under the Mend radar, and in our database, for a while. However, it was published in the NVD in 2019, and due to the popularity of the project and the issue’s high vulnerability score, we decided to include it in this round-up of top new open source vulnerabilities in 2019, even though we highlighted it earlier when it was first published outside of the NVD.
This prototype pollution vulnerability was discovered in a few of the functions in the Lodash node module. Specifically, merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype.
Lodash is an extremely popular open source project that helps to make JavaScript easier by simplifying work with arrays, numbers, objects, strings, and more.
Developers use Lodash’s modular methods for iterating arrays, objects, and strings, manipulating and testing values and creating composite functions.
According to Lodash documentation, the component helps make JavaScript easier to handle by simplifying work with arrays, numbers, objects, strings, and more. Lodash’s current version on npm (v4.17.15) has over 27 million weekly downloads, which tells us that users agree.
You can read more about the vulnerability, and its fix on GitHub.
#2 JS-YAML
Vulnerability Score: High — 8
Affected Versions: prior to 3.13.1
This popular JavaScript component had quite a year, security-fix-wise, and this is only one of the issues that they dealt with. JS-YAML versions before 3.13.1 were found to be vulnerable to a Code Injection attack.
According to the npm security advisory, the load() function might execute arbitrary code injected through a malicious YAML file.
JS-YAML is a YAML 1.2 parser and writer for JavaScript. It’s an implementation of YAML, a human-friendly data serialization standard for all programming languages. According to JS-YAML’s documentation on GitHub and npm, the project started as PyYAML port, and was completely rewritten to become very fast, and support 1.2 spec.
The 14 million-plus weekly downloads and over 9,400 dependents featured on JS-YAML’s npm page show us how popular and widely used the project is. Hopefully, if you’re one of the many JS-YAML users out there, you’re keeping track of your versions and updating them to stay secure.
The fix here is to upgrade to version 3.13.1 (or over).
#3 fstream
Vulnerability score: High — 7.5
Affected versions: before 1.0.12
Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. According to the npm security advisory, the fstream.DirWriter() function is vulnerable. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system’s file with the contents of the extracted file.
Fstream is an extremely popular open source project, currently boasting over 4.7 million weekly downloads from npm. The project offers advanced FS Streaming for Node. The project’s documentation on GitHub describes it as similar to FS streams, but with stat on them, and supporting directories and symbolic links, as well as normal files. They can also be used to set the stats on a file, even if users don’t change its contents, or to create a symlink. According to the npm security advisory, upgrading to version 1.0.12 or later should resolve the issue.
This is another JS issue that was first published in an open source security advisory and added to our database as WS-2019-0100, then later published in the NVD with a CVE ID. Some programming languages are more likely than others to have many of their vulnerability postings in spots other than the NVD. This and the previous two issues might have clued you into the fact that JavaScript is at the top of that list, with over 31% of JS vulnerabilities posted on security advisories outside of the NVD. This vulnerability is one example, it was initially posted in a security advisory, added to our database with a WS ID, and only later published by the NVD.
You can learn more about the security vulnerability and its fix on GitHub.
#4 Python
Vulnerability Score: High — 7.5
Affected versions: through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4.
This issue was found in vulnerable versions of Python’s complex email module. Vulnerable versions might parse email addresses incorrectly if they contain multiple @ characters. An attacker could exploit this issue to trick a vulnerable application into accepting an email address that should be denied.
Python is an old community favorite, consistently ranking third in GitHub’s list of top languages since 2015, until this year when it jumped up to second place, taking Java’s place. Input Validation, otherwise known as CWE-20 is the most common issue type in Python, but that doesn’t mean that beloved Python is an insecure language. In fact, this project’s security profile is fairly solid. When we took a look at open source security in Python over time, we found a relatively low percentage of high-severity vulnerabilities over the past ten years, and a consistent decrease in vulnerabilities overall since 2015.
Read more about this new Python vulnerability and its fix on GitHub, or on the Python issue tracker.
#5 Linux kernel
Vulnerability Score: Critical — 9.8
Affected versions: prior to 5.0.9.
Given the size of the community and the volume of code, it’s only natural that the community invests a lot in finding and fixing issues in this OG open source project, that powers so much of our industry. 2019 was no different, and we saw many vulnerabilities published and fixed by the Linux kernel crew.
This issue is one of the highly critical vulnerabilities published this past August. The ubuntu security notice reported that the Empia EM28xx DVB USB device driver implementation contained a use-after-free vulnerability when disconnecting the device. The notice went on to explain that a hacker could exploit this to cause a denial of service (system crash).
Make sure to check to see if you’re using a vulnerable version, and read more about this Linux kernel security issue and its fix here, here, and here.
#6 Apache Tomcat
Vulnerability score: 8.1
Affected Versions: 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93
The Apache Tomcat is another old favorite, from a large and active community that has been working hard over the years to provide Java folks with the software that they need to run their web apps.
In vulnerable versions of the project, when running on Windows with enableCmdLineArguments enabled, the Common Gateway Interface (CGI) Servlet in Apache Tomcat is open to Remote Code Execution due to a flaw in the way the JRE passes command-line arguments to Windows.
The issue can only be exploited if the target is running on Windows in a non-default configuration, in conjunction with batch files. When these conditions occur, the vulnerability could lead to an input validation vulnerability (CWE-20).
To address this issue, users need to make sure that Tomcat is running according to the default settings, which will have the CGI option enableCmdLineArguments disabled moving forward. The recommended fix is to upgrade to one of the safer versions in either 7.9.94, 8.5.40, 9.0.19.
Seclists.org posted a detailed explanation about the vulnerability, and you can find more information about the JRE behavior in Markus Wulftange’s blog, and in this MSDN blog post.
#7 cURL
Affected versions: 7.52.0 to 7.65.3
Affected versions: 7.19.4 to 7.65.3
Vulnerability Score: Critical — 9.8
September served up a two-for-one with this pair of highly critical cURL issues.
The first issue in the popular C-based URL transfer library is CVE-2019-5481, a double-free vulnerability in the FTP-kerberos code. According to the curl security advisory, “vulnerable versions of libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPT_KRBLEVEL option.”
Then we have CVE-2019-5482, a critical heap buffer overflow vulnerability in curl’s TFTP protocol handler.
curl is used in practically every technology that requires internet transfer. That applies to cars, routers, printers, audio equipment, mobile devices, media players and more. Since curl supports thousands of software applications that impact billions of humans daily, it’s best to check which curl version you’re using and update is as soon as you can.
Also notable is the fact that both security vulnerabilities were published on the curl advisories, along with their fixes, within two weeks or less of being reported — much less than the commercial industry standard. This is a good example of how quickly security can work in the open source community, requiring us users to make sure that we are constantly tracking any updates to versions.
You can find more information about the issues on the curl security advisories.
#8 RubyGems
Vulnerability Score: High — 7.4
Affected versions: 2.7.6 and later through 3.0.2
This one is for all of the avid Ruby fans out there. A directory traversal issue was discovered in vulnerable versions of RubyGems, the popular hosting service for that large Ruby community.
The RubyGem’s security advisory announced in March vulnerable versions of RubyGems would delete the target destination “Before making new directories or touching files (which now include path-checking code for symlinks),” the advisory further explain: “If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user’s machine.” The advisory warned developers that, “Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.”
The issue was reported to the RubyGems crew through bug bounty operators HackerOne, and you can find the proof of concept here. RubyGems has published the patch here.
This shows us how bug bounty contributors have become a part of the open source community’s widespread and sometimes confusing security ecosystem. This is only one of several issues RubyGems issues published on HackerOne. You can check out the full list of issues and their fixes on RubyGem’s official blog.
#9 Kubernetes
Vulnerability Score: High — 7.5
Affected versions: v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2
This list couldn’t be complete without touching on the container ecosystem, and here’s an issue from one of the OGs of the container community.
An improper input validation issue in vulnerable versions of the API server allows authorized users to send malicious YAML or JSON payloads. This causes the server to consume excessive CPU or memory, and it could then potentially crash and become unavailable. This type of exploit is also known as a “Billion Laughs Attack”, because in its most popular example, the first entity is the string “lol“, leading to the name “billion laughs”. Sadly, the results of such an attack might be so funny.
Containers are becoming a key component of the DevSecOps environment, and as their popularity continues to grow, Kubernetes and other open source projects are gaining more attention from the security community, helping them to discover, fix and publish more security issues. If you are one of the increasingly growing number of Kubernetes fans out there, its best to make sure that you’re also adopting Kubernetes security practices, and keeping your versions up to date.
You can find more information about the vulnerability and its fix on GitHub or the Kubernetes security Advisory.
#10 Sudo
Severity score: High — 8.8
Affected versions: prior to version 1.8.28.
Last but certainly not least is this headline-grabber from Sudo, a program dedicated to the beloved Linux operating system, or any other Unix-like operating system, helping users delegate privileges.
On October 14, the Sudo team published a security alert about CVE-2019-14287, a new security issue discovered by Joe Vennix of Apple Information Security, in all Sudo versions prior to version 1.8.28. The security flaw could enable a malicious user to execute arbitrary commands as root user even in cases where the root access is disallowed.
Considering how widespread Sudo usage is among Linux users, it’s no surprise that for a hot minute, everyone was talking about the security vulnerability.
The Sudo team swiftly released a secure version, so If you are using the vulnerable versions with the vulnerable security configuration, you should have already updated to version 1.8.28 or over.
Special mention: SQLite
Vulnerability Score: Critical — 9.8
Affected versions: from 3.6.0 to and including 3.27.2
The SQLite team had their hands full with security issues this year, so we thought it’s right to give this project special mention.
A critical security vulnerability was discovered in vulnerable versions of SQLite3. It was discovered that a boundary condition in rtreenode() function, when handling invalid rtree tables, could allow remote attackers to send a specially crafted request to the application, and trigger heap out-of-bounds Read (CWE-125) to crash it.
You can read more about the issue and its fix in SQLite’s release notes for 3.28.0, and advisory.
SQLite is a C-language library that implements an SQL database engine, and boasts being the most widely deployed Database Engine in the world. Considering this project supports all mobile devices, most computers, and a never-ending list of applications including but not limited to Android, iPhone, and iOS devices, Mac and Windows 10 machines, every instance of Firefox, Chrome, and Safari, every instance of Skype and iTunes, every Dropbox client, PHP and Python, most TV sets and set-top cable boxes, and most automotive multimedia systems.
As is the case with many big and popular open source projects, there are many security-focused eyes on the code, resulting in frequent publication of new security vulnerabilities and their fixes. We are all using devices and applications supported by SQLite. Since many of us are also developing projects dependent on SQLite, it’s critical we keep up with the updated versions so that we don’t find ourselves using vulnerable versions or stuck in a Magellan-type predicament.
Secure your open source components year-in and year-out
There you have it folks, those were our top ten new open source vulnerabilities in 2019, along with one more to keep in mind.
The wide variety of projects just goes to show you that any open source project, young or old, light or massive, might have a vulnerable version that requires updating. It’s also important to remember that while we struggled to narrow it down to ten, there are thousands of new open source security vulnerabilities published every year, the majority of them with a fix. This list of ten includes high to critical severity security issues in highly popular open source projects, but there were thousands of additional new open source security vulnerabilities that were left out.
If there’s one single most important take-away from this list, it is this: make sure to track your open source components and address vulnerable versions as soon as new vulnerabilities are published in the community. Open source components have become an integral part of our software projects. Try to maintain the resolution to keep them secure past January, and throughout this year.
Check the top 10 open source vulnerabilities in 2020