9 June 2020
Catalin Cimpanu’s (1) post on the RiskSense study “The Dark Reality of Open Source” is well worth reading. Open source software is used everywhere. A critical vulnerability in an application that is based on open source software can lead to a data breach. But this holds also for commercial software. We can also expect that the number of flaws in open source and commercial software is roughly the same.
The main difference is that the number of open source software reviews is much higher than the number of commercial software reviews. So the results of the study are not really surprising.
In the case of TomCat, 7 of the 72 published vulnerabilities were weaponized. A quick check against the latest Coverity scan results for Apache TomCat (2) shows that the software has 987 defects, thereof 290 not yet fixed.
High impact defects are very valuable for attackers because their exploitation results in a full loss of integrity. The number of high impact defects in TomCat yet not fixed is 171. So we can expect that the number of vulnerabilities that can be weaponized is high.
In the case of Puppet, none of the 72 published vulnerabilities were weaponized. The latest Coverity scan for Puppet (3) shows no high impact vulnerabilities. So the result is not surprising.
What is the difference between Puppet and TomCat? Puppet is written in PHP/Python/Ruby with a defect density of 0.20. The defect density is the number of defects in 1000 LoC. TomCat is written in Java with a defect density of 1.19. Thus, software reviews will definitely detect more vulnerabilities in TomCat than in Puppet.
This has direct impact on your security strategy. If you use TomCat as middle-ware in the DMZ you should design your application to allow frequent patching, means, more robust against changes in the middle-ware. In addition, automated testing is required to ensure operability in the case a patch must be implemented. Finally, your operations team must be prepared to install patches within few hours upon release by the vendor.
Have you ever seen such details for commercial software? Like IIS?
Have a great week.
1. Cimpanu C. Vulnerabilities in popular open source projects doubled in 2019 [Internet]. ZDNet. 2020 [zitiert 8. Juni 2020]. Available at: https://www.zdnet.com/article/vulnerabilities-in-popular-open-source-projects-doubled-in-2019/
2. Synopsys. Coverity Scan – Static Analysis for Apache TomCat [Internet]. 2020 [zitiert 9. Juni 2020]. Available at: https://scan.coverity.com/projects/apache-tomcat
3. Synopsys. Coverity Scan – Static Analysis for Puppet [Internet]. [zitiert 9. Juni 2020]. Available at: https://scan.coverity.com/projects/puppetlabs-puppet