Open source open to attack
- By John Rendleman
- Dec 14, 2007
As open-source coding begins to appear with increasing regularity in commercial software products, government users need to be aware of the potential security vulnerabilities in open-source code, industry experts say.
New commercial software products can contain, on a line-by-line basis, as much as 30 percent to 50 percent code that originated via open-source programs, said Mark Tolliver, chief executive officer at Palamida, a company that specializes in analyzing commercial software for elements of open-source code and any potential vulnerabilities.
The proliferation of open-source code has a variety of benefits for software buyers because it can lower the cost of writing new programs, speed the completion of new software projects and let programmers incorporate the best features of other programs, Tolliver said at a conference this week on the impact of open-source programs on the Defense Department, sponsored by the Association for Enterprise Integration.
The benefits, however, can be accompanied by potential security vulnerabilities and other issues, Tolliver said. Palamida, for example, this week released a list of the top five overlooked open-source security vulnerabilities that it encountered in 2007, as well as available fixes. The top five open-source products and their vulnerabilities
- APACHE GERONIMO, which in its 2.0 version does not throw FailedLoginException for failed logins, which potentially can allow remote attackers to bypass authentication requirements, deploy arbitrary modules and gain administrative access.
- JBOSS APPLICATION SERVER, which in versions 3.2.4 through 4.0.5 includes a Directory traversal vulnerability in the DeploymentFileRepository class, potentially allowing remote authenticated users to read or modify arbitrary files and possibly execute arbitrary code.
- LIBTIFF (Library for reading and writing Tagged Image File Format), which in versions before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code and trigger assert errors.
- NET-SNMP , which in several versions when running in the master-agent mode can allow remote attackers to cause a denial-of-service crash by causing a TCP disconnect.
- ZLIB, which in Version 1.2 and later versions allows remote attackers to cause a denial-of-service crash via a crafted compressed stream with an incomplete code description of a length greater than one, which leads to a buffer overflow.
The identified vulnerabilities shouldn't discourage users from using any of the products, Palamida said, although they should make sure they're using the latest and most stable version of all software and implement the patches that are available to correct all five of the top vulnerabilities.