http://www.informationweek.com/news/showArticle.jhtml?articleID=205916637
By Charles Babcock
InformationWeek
January 22, 2008
After reviewing 300 million lines of code in 2007, Palamida, a
vulnerability audit and software risk management company, says it's
identified the five vulnerabilities most frequently overlooked by users
in their open source code.
The five are listed in alphabetical order. Palamida did not attempt to
assign a frequency ranking to the five, CEO Mark Tolliver said. Also,
the Palamida list reflects known vulnerabilities that have been aired
and fixed by their parent projects but are still encountered in the user
base, such as businesses and government agencies. The projects named are
not frequent offenders when it comes to security vulnerabilities, but
their code is so widely used that unpatched vulnerabilities show up in
Palamida's enterprise and nonprofit agency software scans. In all cases,
a patch is available to fix the vulnerability.
Open source code is "not any more vulnerable than commercial software"
and in some cases, less so, said Tolliver. Open source projects tend to
acknowledge their vulnerabilities and fix them promptly, he added.
The company conducts audits on enterprise software, spotting uses of
open source and identifying origins of code. It both sells products to
conduct audits and offers audit services and risk management consulting.
Palamida's list of five frequently overlooked vulnerabilities is as
follows:
* Geronimo 2.0, the application server from the Apache Software
Foundation, contains a vulnerability in its login module that allows
remote attackers to bypass authentication requirements, deploy a
substitute malware code module, and gain administrative access to the
application server. The access is gained by "sending a blank user name
and password with the command line deployer in [Geronimo's] deployment
module," the Palamida report said. A blank user name and password
should trigger a "FailedLoginException" response in Geronimo 2.0 but
doesn't.
A patch for the vulnerability exists at
https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch.
Geronimo competes with Red Hat's JBoss and other open source application
servers.
* The JBoss Application Server has a "directory traversal vulnerability
in its DeploymentFileRepository class in releases 3.2.4 through 4.0.5.
It allows remote authenticated users to read or modify arbitrary files
and possibly execute arbitrary code," the Dec. 7 report concluded.
A patch is available at http://jira.jboss.com/jira/browse/ASPATCH-126.
* The third frequently encountered vulnerability on the list is the
LibTiff open source library for reading and writing Tagged Image File
Format, or TIFF, files. The LibTiff library before release 3.8.2
contains command-line tools for manipulating TIFF images on Linux and
Unix systems and is found in several Linux distributions.
Using the LibTiff library in a version before 3.8.2 allows
"context-dependent attackers to pass numeric range checks and possibly
execute code via large offset values in a TIFF directory," the Palamida
report states. The large values may lead to an integer overflow or other
unanticipated result and constitutes an "unchecked arithmetic
operation," the report said.
A patch is available at
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz.
* The fourth vulnerability on the list is found in Net-SNMP, or the
programs that deploy the SNMP protocol. It's found in version 1.0,
version 2c and version 3.0. When certain versions of Net-SNMP are
running in master agentx mode, the software allows "remote attackers
to cause a denial of service (crash) by causing a particular TCP
disconnect, which triggers a freeing of an incorrect variable," the
report said.
A patch is available at
http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.
* The fifth overlooked vulnerability is found in Zlib, a software
library used for data compression. Zlib 1.2 and later versions allow a
remote attacker to cause a denial-of-service attack. The attack
designs a compressed stream with an incomplete code description of a
length greater than 1, causing a buffer overflow.
The patch consists of upgrading zlib to version 1.2.3 at
www.zlib.net/zlib-1.2.3.tar.gz.
The fact that the vulnerabilities exist doesn't mean that anyone should
stop using open source code. But users should adopt vulnerability
patches or update to the latest, stable version of the code, said
Theresa Bui, VP of marketing at Palamida. A complete description of the
five vulnerabilities, along with their Common Vulnerability and Exposure
number, can be found at Palamida's Dec. 7 Web site listing. The CVE is a
project of the Mitre Corp. that gives vulnerabilities a shared
definition and reference number across security vendors.
Received on Wed Jan 23 00:38:39 2008