Top 5 New Open Source Vulnerabilities in March 2018
Table of Contents
Many of us take this time in April to celebrate spring and the rebirth of nature. Snow melts, cherry blossoms bloom, and the ever-illusive easter eggs are hunted down with glee and diligence over rolling green hills. In our corner of the cyberverse, security vulnerabilities in open source components are the target of our hunt, and as per usual, we’ve come up with an overflowing basket of goodies.
This month’s roundup of the top 5 new open source security vulnerabilities, was aggregated by the Mend database, which is updated continuously from the National Vulnerability Database (NVD), in addition to a number of open source publicly available, peer-reviewed security advisories.
Our top 5 list of projects hit by vulnerabilities this March includes some wildly popular platforms and components, servicing millions of users worldwide. Some are re-born from previous vulnerabilities, while others are fresh newcomers. All of them prove, once again, that the open source ecosystem is a dynamic one filled with hard working folk that continuously keep us on our toes.
If we’ve tickled your curiosity, or if you are using open source components in your projects (you know you are), take a look at March’s top 5 new open source security vulnerabilities.
#1: Drupal
Vulnerability Score: High — 7.3
Affected versions: Drupal 6, 7.x before 7.58, 8.x before 8.3.9, and 8.4.x before 8.4.6, and 8.5.x before 8.5.1
This is a big one, folks. Drupal is the popular, free, and open source content management platform that web developers either love to hate or embrace with deep everlasting adoration. The divide between lovers and haters will no doubt deepen as the fallout from this highly-critical vulnerability affectionately referred to as Drupalgeddon, otherwise known as CVE-2018-7600, continues.
Drupal is an extremely popular and widely used CMS. Its project usage page indicates that over one million sites are running the affected versions, or about 9% of sites that are running a known CMS according to Builtwith. This leaves many Drupal sites open to malicious attacks if the versions aren’t patched or updated.
Drupal site admins were put on high alert when the Drupal team issued a security announcement two weeks ago (March 21), informing site admins of a security release scheduled for the following week (March 28). Administrators were urged to “reserve time for core updates” because “exploits might be developed within hours or days.”
Vulnerable versions could potentially allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. According to the security advisory, this could allow attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Drupal’s vulnerability rating for the issue is 21/25 (Highly Critical), based on the NIST Common Misuse Scoring System.
Drupal warns that attackers can exploit the flaw through several avenues. The problem lies in Drupal core and is caused by missing input validation. The Drupal team’s FAQ page for the vulnerability paints an alarming picture, saying that it could be extremely easy for an attacker to exploit the vulnerability, simply by visiting a web page, even without any user privileges. A hacker visiting an affected site could gain access to, modify, and delete private data.
Drupal says that only “drastic” configuration changes will mitigate the vulnerability and recommends installing the security release, stressing that “while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change.” adding that the security team “strongly recommends that the best solution is for sites to upgrade.”
According to the Drupal security team, so far no public documentation or exploit code exists, nor do they know of the security being exploited at this time.
For more information about updating to safer versions, visit Drupal’s security advisory page.
#2: Microsoft ChakraCore
Vulnerability Score: High — 7.6
Affected versions: ChakraCore and Internet Explorer and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016, Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2.
As the love story between Microsoft and the open source community blossomed, Microsoft decided to take their relationship one step further about two years ago, and announced that they open sourced the core components of the Chakra JavaScript engine that powers Microsoft Edge, and made it available on GitHub under the MIT license.
ChakraCore is the core part of Chakra, the high-performance JavaScript engine that powers the Microsoft Edge browser, and Windows applications written in HTML, CSS, or JS, including Xbox, Windows phones, and the traditional PC, Azure’s Document DB, Cortana and NodeJS — making it available on the Windows 10 IoT core. ChakraCore supports Just-in-time (JIT) compilation of JavaScript for x86/x64/ARM, garbage collection, and a wide range of the current JavaScript features.
ChakraCore, is a JavaScript virtual machine that is embeddable in products such as game engines, NoSQL databases, and can be used to extend the reach of JavaScript on server and cloud-based services, supporting a set of modern diagnostic APIs, that are platform agnostic and could be made interoperable across different implementations. ChakraCore also supports the JavaScript Runtime (JSRT) APIs, allowing developers to easily embed ChakraCore in a variety of applications.
This March, the power of the open source community and its many, many expert eyes once again showed us, and Microsoft, how opening a project to a collaborative community can make it better and safer for users. Researchers found a number of security vulnerabilities in ChakraCore, and version updates and fixes were quick to follow.
The multiple vulnerabilities found in ChakraCore could be exploited by hackers to create content that when loaded by target users, allows the hackers to access sensitive data from the unsuspecting victim’s system, or execute arbitrary code on it.
Based on data in the NVD, vulnerabilities include a “Chakra Scripting Engine Memory Corruption Vulnerability.” (CVE-2018-0876, CVE-2018-0872, CVE-2018-0873, CVE-2018-0874, CVE-2018-0930
CVE-2018-0931, CVE-2018-0933, CVE-2018-0934, CVE-2018-0936, CVE-2018-0937) potentially allowing remote code execution.
The NVD also lists a “Scripting Engine Information Disclosure Vulnerability” (CVE-2018-0891 CVE-2018-0939), caused by the way the scripting engine handles objects in memory.
The vulnerabilities listed here are some of the ones that were fixed by Microsoft and the open source community this past month. Our database collected additional ones. You can find more information about all of the ChakraCore vulnerabilities and their fixes and here.
#3: Jackson-databind
Vulnerability score: Critical — 9.8
Affected versions: before 2.8.11.1 and 2.9.x before 2.9.5
Jackson-databind’s ability to translate between the popular data exchange converter JSON and Java makes it hugely popular among Java folk.
This recent deserialization vulnerability is considered highly risky, and reached a high 9.8 score on the vulnerability scale, because attackers might perform remote code execution by sending maliciously-crafted JSON input to the readValue method of ObjectMapper, bypassing an ineffective blacklist.
Unfortunately, this isn’t the first time this type of deserialization flaw has been found in the beloved project. It all started way back in 2017 with the infamous CVE-2017-7525, a deserialization flaw which scored a high 7.8 on the CVE scale, earning it the dubious second place out of ten in our Top 10 Security Vulnerabilities of 2017 list.
As the community has since been working to swiftly remediate this vulnerability, other security vulnerabilities ensued, due to incomplete blacklists. CVE-2017-17485, which we reported in January, is another vulnerability that came as a result of an incomplete fix to the original Jackson-databind vulnerability, and this new vulnerability is another doozy.
The rate in which each of these new Jackson-databind vulnerabilities have been published and fixed assures us that the community is on it. So while this may not be the last we hear about the notorious Jackson-databind vulnerability of 2017, as long as we keep track and manage the security updates, we can be confident that we will get to the vulnerable Jackson-databind components in our code before the hackers do. The fix can be found on GitHub.
#4: Moment.js
Vulnerability Score: High — 7.5
Affected versions: before 2.19.3 for Node.js
You heard it here first. We reported on this vulnerability back in our December open source vulnerability update. This vulnerability has been in the Mend database since December, aggregated from a security advisory, and has now been given a CVE index and added to the NVD.
Moment.js is a free and open source JavaScript library that helps JavaScript developers to easily code date and time objects and avoid having to wrestle with the troublesome native JavaScript Date object directly.
It’s hard to think of an application that doesn’t need to use dates and times. Whether it’s tracking the creation of an object using the time since an event occurred, or saving the date of an event, JavaScript’s Date object doesn’t make it easy, requiring a developer to write many lines of code if they want to do complex parsing, validation, or displaying of dates. Moment enables developers to easily to parse, format, and manipulate dates and times, as well as offering various plugins for additional features such as time-zone support, recurrence, and Twitter integration.
Moment.js is an extremely popular open source project. According to GitHub data, it’s supported by a large and active community, consisting of over 470 contributors and over 3600 commits in the six years since its release.
This component has a pretty solid history with security. Since it was initially released, other than another Regular Expression Denial of Service (ReDoS) vulnerability in 2016, it’s been relatively safe.
However, in December 2017 Moment.js got hit with this vulnerability that researchers say could leave users open to yet another ReDoS attack, with a high vulnerability rating of 7.5.
The fix for this vulnerability is to update Moment.js to version 2.19.3.
You can read more about the latest Moment.js vulnerability and its remediation here, and here.
#5: Marked.js
Vulnerability Score: High — 7.1
Affected versions: through 0.3.5
WS-2018-0031
Marked.js is an open source low-level markdown compiler. Markdown is a markup language with plain text formatting syntax for easy conversion to HTML. Marked.js enables frequent parsing of large chunks of markdown without caching or blocking for long periods of time. Marked.js is a good fit for many web developers because it’s available as a command line interface (CLI) and can also run in client- or server-side JavaScript projects.
This security vulnerability could allow an attacker to execute a Cross-Site Scripting (XSS) attack, due to sanitization bypass using HTML entities. The vulnerability was given a severe 7.1 vulnerability score, because attackers could exploit it to go past the Marked.js controls meant to protect against content injection, simply by using HTML entities, and send malicious script to an unsuspecting Marked.js user. The malicious code could then access cookies, session tokens, or other sensitive data, or even rewrite the content of the web page.
This vulnerability is yet to be added to the NVD database. While the NVD is very extensive and widely well regarded, many aren’t aware that it isn’t the only vulnerability database out there, or that it doesn’t contain all open source vulnerabilities.
This vulnerability is one example. It was discovered by a research group and included in an advisory that is not included in the NVD’s database. This is why Mend’s open source vulnerability database doesn’t limit itself to only NVD vulnerabilities, and continuously aggregates data from additional security sources. As this vulnerability is not listed on the NVD, it is registered with a respectable “WS” prefix, rather than the common “CVE” ID.
You can learn more about this vulnerability and its fix on GitHub.
Keep calm and mind your open source components
In the olden days the development community used to argue whether open source was as secure as proprietary. If the projects in this list tell us anything, it’s that those days are over. Open source components are in our browsers, our websites, our video games, and in most of the software products that we develop. The open source community continues to grow and works hard, taking proactive steps to keep those products secure.
The question is no longer “is open source safe to use” but rather “how do I manage open source security.” Here at Mend.io, our answer is clear in that we put our trust in the community. We suggest that you make it your business to follow the security advisories, update when necessary, and check in with us next month for our new top 5 vulnerability list.
So, until next month’s roundup, stay safe and keep your open source libraries up to date.