The Apache Software Foundation (ASF) is reviewing the state of security across its 300+ projects in a recently released report. According to the report, the most notable events in 2019 included increased attacks of Hadoop instances, a flaw in Apache HTTP Server 2.4, and a flaw in older versions of Apache Axis.
The foundation looked at key metrics, specific vulnerabilities and the most common ways users of ASF projects were affected by security issues to publish its 2019 security report. Data was gathered through 320 reports of new vulnerabilities that came from emails delivered to firstname.lastname@example.org.
After receiving an email, the security committee is responsible for ensuring that issues are dealt with properly and will actively remind projects of their outstanding issues and responsibilities.
The foundation deemed the most noteworthy events based on serve and high risk, readily available exploits and media attention. The list includes:
- The report Securonix published in January 2019 detailing an increase of attacks of Apache Hadoop instances that have not been configured with authentication. “Public exploits and a Metasploit module exist to perform remote code execution on unprotected Hadoop YARN systems.” Apache wrote in a blog post.
- A flaw that occured in April 2019 that allowed a user who has access to write scripts on a web server to elevate those privileges to root.
- Also in April, a flaw in an older version of Apache Axis parsed a file retrieved insecurely from an expired domain, allowing remote code execution.
- A serious vulnerability that was documented in June 2019 when a number of Java build dependencies were being downloaded over insecure paths (HTTP rather than HTTPS).
- The Black Duck Synopsys team found discrepancies in reported affected versions of older Strut releases.
- Denial of service vulnerabilities that Netflix found in August 2019. The vulnerabilities affected various HTTP/2 implementations
- A RiskSense report highlighted vulnerabilities known to be used by Ransomware which included four in ASF projects.
“Apache Software Foundation projects are highly diverse and independent. They have different languages, communities, management, and security models. However one of the things every project has in common is a consistent process for how reported security issues are handled,” ASF wrote. “This report gave metrics for calendar year 2019 showing from the 18,000 emails received we triaged over 300 vulnerability reports leading to fixing just over 100 (CVE) issues.”