The Apache Software Foundation Blog
Apache Software Foundation Security Report: 2019
The security committee of The Apache Software Foundation (ASF) oversee and co-ordinate the handling of vulnerabilities across all of the 300+ Apache projects. Established in 2002 and comprising of all volunteers, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues.
Statistics for 2019
In 2019 our security addresses received in total over 18,000 emails. After spam filtering and thread grouping this comes to 620 non-spam threads. Unfortunately many security reports do look like spam and so the security team are careful to review all messages to ensure real reports are not missed for long.
During 2019 there were a few events worth discussion; either because they were severe and high risk, they had readily available exploits, or otherwise due to media attention. These included:
- January 2019: Securonix published a report outlining an increase of attacks of Apache Hadoop instances that have not been configured with authentication. Public exploits and a Metasploit module exist to perform remote code execution on unprotected Hadoop YARN systems.
- April 2019: A flaw in Apache HTTP Server 2.4 (CVE-2019-0211). A user who has access to write scripts on a web server could elevate those privileges to root. A public exploit is available for this issue.
- April 2019: A flaw in older versions of Apache Axis that parsed a file retrieved insecurely from an expired domain, allowing remote code execution (CVE-2019-0227).
- June 2019: Jonathan Leitschuh contacted us after finding a number of Java build dependencies were being downloaded over insecure paths (i.e. HTTP rather than HTTPS). We did not classify these as security vulnerabilities in themselves as exploiting them would require MITM attacks at build time. We worked with ASF projects including those identified by the reporter to ensure that we use secure URLs. Now, in 2020, a number of repositories are requiring secure URLs.
- August 2019: The Black Duck Synopsys team reviewed older Struts releases and advisories and found some discrepancies in the reported affected versions. The Struts team worked through their findings and issued corrections where needed. This can be important if users are running older versions that they don't think are affected by an issue based on the advisories, but they actually are. However, those same users are likely vulnerable to the other issues that have since been fixed and so we'd always recommend users upgrade to the latest version of Struts to ensure they have a version that contains fixes for all the published security issues.
- August 2019: Netflix found a number of denial of service vulnerabilities affecting various HTTP/2 implementations. ASF projects containing HTTP/2 implementations were investigated and analysed the issues reported. Both Apache HTTP Server and Apache TrafficServer released updates to address denial of service issues that affected them. Apache Tomcat also made performance improvements to HTTP/2 handling but the issues were not classed as denial of service.
- September 2019: A RiskSense report highlighted vulnerabilities known to be used by Ransomware which included four in ASF projects. The four vulnerabilities were all fixed in earlier years and all had updates and mitigations available before any ransomware took advantage of them. Users should always ensure they pay attention to security updates in any ASF projects they use and prioritise updating for any remote or critical vulnerabilities. The four vulnerabilities were:
-- CVE-2016-3088 in Apache ActiveMQ. Targeted by XBash, this issue was trivial to exploit. It was fixed in Active MQ 5.14.0 and mitigation was also available.
-- CVE-2017-12615 in Apache Tomcat. It is surprising to see this issue on the list as it affects a non-default and quite unlikely flaw. However, it's an issue that is probed by Lucky (a variant of "Satan"), so if there is a server configured in this way it will get exposed. This issue only affected Windows platforms on non-default config, it was fixed in Tomcat 7.0.81, and mitigation is also available. Note that Lucky will also do brute force attacks targeting weak passwords on accessible Tomcat Web Admin consoles.
-- CVE-2017-5638 in Apache Struts. This issue is known to be exploited in the wild, however the first exploitation was discovered after the advisory and fix was published. Used by Lucky (a variant of Satan). It was fixed in Struts 2.3.32 and 22.214.171.124, and a mitigation is also available.
-- CVE-2018-11776 in Apache Struts. This issue is also used by Lucky. It was fixed in Struts 2.3.35, 2.5.17, a possible mitigation is available but upgrading is advised.
- Dec 2019: A flaw in Apache Olingo allowing XML External Entity (XXE) attacks (CVE-2019-17554). This issue could be used, for example, to retrieve arbitrary files from a server. A public exploit example exists for this issue.
- A number of flaws in Apache Solr through the year that could allow remote code execution. Public exploits exist for some of the issues as well as a Metasploit module.
- The European Commission EU-FOSSA 2 project sponsored bug bounty programs for users finding security issues in both Apache Kafka and Apache Tomcat. No issues were fixed in Apache Kafka. Two issues were fixed in Apache Tomcat: CVE-2019-0232 (Important severity, affecting Windows platforms, public exploits including a Metasploit module are available) and CVE-2019-0221 (Low severity). As well as running the bug bounties, EU-FOSSA 2 also sponsored a successful hackathon in June 2019.
Apache Software Foundation projects are highly diverse and independent. They have different languages, communities, management, and security models. However one of the things every project has in common is a consistent process for how reported security issues are handled.
The ASF Security Committee work closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly. This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted.
# # #
graphic created by http://sankeymatic.com/build/ using code :
Threads  License Confusion
Threads  Support Questions
Threads  Vulnerability Reports
Vulnerability Reports  Under Triage
Vulnerability Reports  Closed
Closed  CVE
colour B source
Posted at 07:13AM Jan 31, 2020 by Sally in General | |
The Apache News Round-up: week ending 31 January 2020
Farewell, January --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
- Next Board Meeting: 19 February 2020. Board calendar and minutes http://apache.org/foundation/board/calendar.html
ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
- CFPs OPEN: Apache Roadshow/DC and ApacheCon North America https://www.apachecon.com/
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
- 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/
Apache Code Snapshot – this week, 746 Apache contributors changed 1,854,769 lines of code over 3,280 commits. Top 5 contributors, in order, are: Dan Haywood, Andrea Cosentino, Claus Ibsen, Jean-Baptiste Onofré and Jarek Potiuk.
Apache Project Announcements – the latest updates by category.
- Apache OpenWebBeans-2.0.14 released http://openwebbeans.apache.org/
- Apache SpamAssassin 3.4.4 released http://spamassassin.apache.org/
- Apache HttpComponents Client 5.0 beta7 (GA candidate) released https://hc.apache.org/
Did You Know?
- Did you know that Apache Flink supports schema migration on its state so that application changes can be made without having to start from square one? https://flink.apache.org/
- Did you know that tracks for ApacheCon North America include Big Data integration/Gobblin (incubating), Apache Camel/Integration, Cassandra, CloudStack, Community, Content Delivery, Fineract, Flagon (incubating), Geospatial, Graph, Groovy, HTTP Server/Web, Ignite, Internet of Things, Karaf, Observability, Solr/Lucene/Search, and Tomcat? https://s.apache.org/cfp2020
- Did you know that Amazon, DataStax, IBM, Microsoft, Neo4j, and many others use Apache Tinkerpop? http://tinkerpop.apache.org/providers.html
Apache Community Notices:
- "Trillions and Trillions Served", the documentary on the ASF, is in post-production. Catch the teaser at https://s.apache.org/ASF-Trillions
- Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits
- The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI
- ASF Operations Summary: Q2 FY2020 (August - October 2019) https://s.apache.org/2kv2n
- Celebrating 20 Years Community-led Development "The Apache Way" https://s.apache.org/ASF20thAnniversary
- ASF Founders look back on 20 Years of the ASF https://blogs.apache.org/foundation/entry/our-founders-look-back-on
- Foundation Reports and Statements http://www.apache.org/foundation/reports.html
- ApacheCon: Tomorrow's Technology Today since 1998 http://s.apache.org/ApacheCon
- ASF Annual Report for FY2019 https://s.apache.org/FY2019AnnualReport
- The Apache Software Foundation 2018 Vision Statement https://s.apache.org/zqC3
- Foundation Statement –Apache Is Open. https://s.apache.org/PIRA
- CFP and pre-registration open for the first Pulsar Summit http://pulsar.apache.org/blog/2019/12/18/Pulsar-summit-cfp/
- "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache
- Please follow/like/re-tweet the ASF on social media: @TheASF on Twitter (https://twitter.com/TheASF) and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation
- Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity
- The list of Apache project-related MeetUps can be found at http://events.apache.org/event/meetups.html
- Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby
= = =
For real-time updates, sign up for Apache-related news by sending mail to firstname.lastname@example.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 06:01AM Jan 31, 2020 by Swapnil M Mane in Newsletter | |