Not Managing Open Source Opens Door for Hackers

guest · May 1, 2019

Not Managing Open Source Opens Door for Hackers
April 30, 2019
https://www.infosecurity-magazine.com/news/not-managing-open-source-opens-1/

Organizations continue to face challenges with managing open source risk, according to a new report published today by published today by Synopsys Cybersecurity Research Center (CyRC).

The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components per codebase. The results reflect an increase from the number of codebases in 2017, which was only 257.

“At the end of the day, all software is vulnerable to attack – without exception – and the nature of open source software is to shine a light on the issues it has, leading to increased visibility of bugs, not an increase in bugs,” said Cody Brocious, hacker and head of hacker education at HackerOne.
Click to expand...

guest · Jul 18, 2019

The Truth About Vulnerabilities in Open Source Code
July 18, 2019
https://www.darkreading.com/edge/th...rabilities-in-open-source-code/b/d-id/1335187

As worrisome as that might sound, the reality is that whether it's proprietary code or open source code, software will inevitably have vulnerabilities. But experts overwhelmingly agree that open source code libraries are far more secure than commercial software.
The problem isn't in the use of open source libraries. Software vulnerabilities exist because writing secure code is very difficult — which is one reason why so many companies rely on open source projects.
Driving Innovation with Open Source
"Today, in any organization, if you are not using open source, you will be left irrelevant," he says. "The only way to drive innovation, speed, quality, and cost is by adopting open source."
Where Are the Vulnerabilities?
The problem of seeing the same vulnerabilities over and over again is not in the open source code but in the lack of scanning and monitoring of the different libraries enterprises use to develop products.
[...] the bugs are from the software libraries, not the applications themselves. And because open source libraries are used in a whole slew of applications, those vulnerabilities can affect a large swath of applications.
Click to expand...

guest · Aug 10, 2019

Top 5 Open Source Security Risks You Should Know About
August 9, 2019
https://www.fromdev.com/2019/08/top-open-source-security-risks.html

Open-source software is currently used by more than 95 percent of the most popular applications on the enterprise market.
Along with the big advantage of using open-source components, however, comes the risk of exposure to vulnerabilities, which should not be ignored.
The State of Open-Source Security
The real risk comes from the way organizations track and manage it. This includes the way security patches are distributed, how open source vulnerabilities are monitored and fixed, and how reliably organizations are tracking all the open-source components they use.

The reason for open-source vulnerabilities is that the same code that you can see can also be seen by attackers. When they find an exploit, they can use it to extract sensitive data from compromised systems that have not been updated. In many cases, a vulnerability may go undetected for a long time.
Top 5 Open-Source Security Risks You Should Know About [...]
Click to expand...

guest · Aug 29, 2019

The License and Security Risks of Using Node.js
Why open source software could make your application open for exploitation
August 29, 2019
https://dzone.com/articles/the-license-and-security-risks-of-using-nodejs

Open source software now dominates application development. Open source represented 60% of the code analyzed during Black Duck Audits in 2018, up from 57% in 2017 and 35% in 2016.

When a codebase contains open source software, it takes advantage of development work that someone else has already completed for free. But an application using a component doesn’t inherit just its features; it also inherits any licensing and security issues lurking in the component.
Companies using open source code need to make sure they comply with the legal terms under which that code is released, and they need to know whether that code contains any vulnerabilities.
Node.js
Node.js is becoming more widespread because it enables the use of server-side JavaScript. JavaScript is arguably the most popular programming language right now because of its scalability, performance, and ease of use.
Node.js codebases often contain hundreds or even thousands of npm packages. Developers may be unaware of the packages’ direct and indirect dependencies and the security risks associated with them.
Click to expand...

guest · Mar 13, 2020

Open Source Software Vulnerabilities Increased By 50% In 2019: Report
March 13, 2020
https://fossbytes.com/open-source-vulnerabilities-increased-50-percent-2019/

The popularity of open-source components has increased over the years, with more people diverting their attention towards open-source software.

However, using open-source software involves risks as well. A report published by WhiteSource, an open-source security management platform, says that vulnerabilities in open-source software increased by nearly 50% in 2019.
The report gathered data from the National Vulnerability Database (NVD), several security advisories, peer-reviewed vulnerability databases, and popular open-source issue trackers.

The number of reported open source vulnerabilities stood at a record-breaking count of 6,000 in 2019.
However, every cloud has a silver lining, and so does the open-source ecosystem. The report also mentions that over 85% of open source vulnerabilities are disclosed with a fix already available.
Click to expand...

Open-source vulnerabilities: 2020 predictions
The report mentions that the number of open-source flaws will keep rising, thanks to the continued increase of both open-source usage and security research in the domain.
Click to expand...

WhiteSource: The state of open source vulnerabilties 2020

We surveyed over 650 developers, and collected data from the NVD, security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather the latest industry insights in open source vulnerability management.
Click to expand...

guest · May 25, 2020

70 Percent of Mobile, Desktop Apps Contain Open-Source Bugs
May 25, 2020
https://threatpost.com/70-of-apps-open-source-bugs/156040/

A full 70 percent of applications being used today have at least one security flaw stemming from the use of an open-source library.

According to Veracode’s annual State of Software Security report, these open-source libraries – free, centralized code repositories that provide ready-made application “building blocks” for developers – are not only ubiquitous but also risky.
The analysis examined 351,000 external libraries in 85,000 applications, and found that open-source libraries are extremely, extremely common.

For instance, most JavaScript applications contain hundreds of open-source libraries – some have more than 1,000 different libraries. In addition, most languages feature the same set of core libraries.

“JavaScript and PHP in particular have several core libraries that are in just about every application,” according to the report.
Click to expand...

The good news is that addressing security flaws in these libraries is not a huge lift.

“Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update; major library upgrades are not usually required,” according to the Veracode report. “This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.”
Click to expand...

Veracode: State of Software Security: Open Source Edition
(PDF): https://www.veracode.com/sites/default/files/pdf/resources/reports/state-of-software-security-open-source-edition-veracode-report.pdf

Virtually no modern application can avoid including open source libraries. But how secure are these libraries? We analyzed over 351,000 unique external libraries to find out.
Click to expand...

guest · Jun 8, 2020

Vulnerabilities in popular open source projects doubled in 2019
June 8, 2020
https://www.zdnet.com/article/vulnerabilities-in-popular-open-source-projects-doubled-in-2019/

A study that analyzed the top 54 open source projects found that security vulnerabilities in these tools doubled in 2019, going from 421 bugs reported in 2018 to 968 last year.

According to RiskSense's "The Dark Reality of Open Source" report, released today, the company found 2,694 bugs reported in popular open source projects between 2015 and March 2020.
Instead, RiskSense looked at other popular open source projects that aren't as well known but broadly adopted by the tech and software community. This included tools like Jenkins, MongoDB, Elasticsearch, Chef, GitLab, Spark, Puppet, and others.
Click to expand...

With open source projects now part of roughly 99% of all commercial software projects, RiskSense argues that improvements are now needed in the way security vulnerabilities are handled inside open source projects, but also by the industry as a whole.
This is more important than ever now because "open source projects are generating new vulnerabilities at a historically rapid pace."
Click to expand...

RiskSense: Open Source Software Security Vulnerabilities Doubled in 2019 According to RiskSense Spotlight Report

Research Found a Nearly Two Month Lag between Public Disclosure and NVD Listing of Threats; Jenkins and MySQL are Most Weaponized
Click to expand...

guest · Jun 26, 2020

Open Source Security Issues Exist: Deal With Them, Report Urges
June 25, 2020
https://www.technewsworld.com/story...-Exist-Deal-With-Them-Report-Urges-86729.html

Open Source Software is becoming much more commonplace within organizations, bringing a different set of risks and perceived challenges compared to closed source or proprietary software.

The Information Security Forum (ISF) today released a report to help security professionals recognize the benefits and perceived challenges of using Open Source Software.

"Deploying Open Source Software: Challenges and Rewards," which the IFS calls a briefing document, focuses on setting up a program of protective measures to effectively manage OSS deployment.
One of its goals is to detail the difference between the myths and the realities surrounding open source use. That understanding is critical to securing open source components in mixed code applications, according to ISF.
Click to expand...

Far-Reaching Goals
The ISF guide on deploying open-source software pulls together a quick study for IT workers and other open-source users in enterprise. It provides useful approaches for how organizations can effectively manage the challenges of using OSS, and why they need to do it.
The guide also talks about how to maximize the benefits and reap the rewards of using open-source software.

The security risks of using OSS within IT infrastructure and applications bring core challenges that must be minimized, the guide cautions. That task is made more complex if organizations have limited awareness of the OSS components in use.
Click to expand...

A concerted effort to manage the use of OSS appropriately and effectively is needed. The growing prevalence of OSS needs to be balanced, urged Holland.
For some organizations, the first step is to realize that the myths surrounding OSS are simply illusions.
Click to expand...

Information Security Forum (ISF): Cybersecurity 2020: challenges and threats to be aware of

guest · Sep 14, 2020

Open Source Security's Top Threat and What To Do About It
September 14, 2020
https://www.darkreading.com/risk/op...threat-and-what-to-do-about-it/a/d-id/1338857

Ninety-nine percent of enterprise codebases contain open source components, according to a recent study. But amid that overwhelming adoption, a hazard has emerged: Organizations have lost visibility of the plethora of open source components being used in their applications and infrastructure, making it harder to identify potential security vulnerabilities.

The same thing that makes open source so powerful — a worldwide community of millions of developers constantly churning out new tools to foster efficiency and innovation — also presents its biggest security test. [...] the cost benefits, flexibility, and convenience of open source comes with certain risks that need to be addressed.
Click to expand...

Now, however, developers draw from a massive array of smaller projects they find on GitHub or share with each other.

Can they really trust the code? Does the party who created it stand ready to pinpoint and disclose any security flaws?
How can you be confident all are up to date from a security perspective?
This fragmentation is the No. 1 open source security threat for enterprises, [...] according to a report by information security company RiskSense.
Click to expand...

Here are three essential steps that every enterprise should follow.
By following these three steps, enterprises can ensure that fragmentation in their open source software doesn't have to mean compromised security.
Click to expand...

Synopsis: 2020 Open Source Security and Risk Analysis (OSSRA) Report
(PDF - 1.99 MB): https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/2020-ossra-report.pdf

guest · Dec 3, 2020

Open source vulnerabilities go undetected for over four years
December 3, 2020
https://www.helpnetsecurity.com/2020/12/03/open-source-vulnerabilities/

For its annual State of the Octoverse report, GitHub has analyzed over 45,000 active code directories to provide insight into open source security (vulnerabilities) and developers’ practices regarding vulnerability reporting, alerting and remediation.

The Microsoft subsidiary found that security vulnerabilities often go undetected for more than four years before being disclosed.
Additional findings
Security vulnerabilities can impact software directly or through its dependencies.
After examining a year-worth of data collected through its dependency graph, the company has found that most projects on GitHub have at least one open source dependency.
Click to expand...

Another interesting finding is that most open source software vulnerabilities are caused by mistakes, not malicious attacks.

Not that vulnerabilitities introduced by mistake cannot be just as disruptitive as malicious attack – they can, and they are much more likely to impact popular projects, GitHub noted.
Add to this the discovery that a vulnerability typically goes undetected for over four years, and you can see how problems may arise.
Click to expand...

Octoverse report

guest · Dec 9, 2020

Unmanaged open-source software is putting businesses at risk
Most open-source code comes with known vulnerabilities, a new report argues
December 9, 2020
https://www.itproportal.com/news/unmanaged-open-source-software-is-putting-businesses-at-risk/

Unmanaged open-source software is putting businesses at risk, according to a new report from Synopsys.

The company polled 1,500 IT professionals and found that an “overwhelming majority” of modern codebases contain open-source components (sometimes going up to 70 percent).
According to Tim Mackey, Principal Security Strategy at the Synopsys Cybersecurity Research Center, businesses are struggling to effectively track and manage their open-source risk.
Click to expand...

He claims that for the majority of businesses (51 percent) it takes anywhere between two and three weeks to apply an open-source patch.

“The remaining organizations are probably employing manual processes to manage open source—processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily,” he said.
Click to expand...

Synopsis: Six key findings from the ‘DevSecOps Practices and Open Source Management in 2020’ report

This week Synopsys released the “DevSecOps Practices and Open Source Management in 2020” report, findings from a survey of 1,500 IT professionals working in cyber security, software development, software engineering, and web development. The report explores the strategies that organizations around the world are using to address open source vulnerability management, as well as the problem of outdated or abandoned open source components in commercial code.
Click to expand...

guest · Jun 22, 2021

Most Developers Never Update Third-Party Libraries in Their Software: Report
June 22, 2021
https://www.securityweek.com/most-d...e-third-party-libraries-their-software-report

Compiled in partnership with the Cyentia Institute, Veracode’s latest State of Software Security report focuses on open source software and the manner in which developers approach the security of third-party libraries they use.

An analysis of more than 86,000 repositories containing over 300,000 unique libraries and discussions with more than 1,700 developers revealed that, although the open source landscape is constantly changing and libraries are continuously evolving, 79% of libraries are never updated after being included in software.
Click to expand...

While some developers act quickly when learning of vulnerabilities in the libraries they use -- with 25% of bugs addressed within a week -- half of the security holes aren’t patched within seven months after fixes are released. This is because developers lack important information they need to take immediate action.

“When developers understand the implications of vulnerabilities and appropriately prioritize security, they can fix most flaws easily,” Veracode notes. In fact, half of vulnerabilities are addressed within three weeks when developers have the information they need.
Recurrent scanning of tens of thousands of repositories has revealed that 65.0% of the libraries that appear in the first scan are never updated. Furthermore, 14% of the libraries are added after the first scan and never updated, for a total of 79% of libraries being added and forgotten.
Click to expand...

Veracode: State of Software Security v11: Open Source Edition

Get best practices on managing your open source libraries in our State of Software Security v11: Open Source Edition report. Based on 13 million scans of more than 86,000 repositories, SOSS v11: Open Source Edition gives you a unique perspective on the open source libraries in codebases today, how organizations are managing the security of these libraries, and best practices on using open source code securely.
Click to expand...

guest · Jul 27, 2021

Several Bugs Found in 3 Open-Source Software Used by Several Businesses
July 27, 2021
https://thehackernews.com/2021/07/several-bugs-found-in-3-open-source.html

Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects — EspoCRM, Pimcore, and Akaunting — that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks.

All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7 noted. Six of the nine flaws were uncovered in the Akaunting project.
Click to expand...

Successful exploitation of the flaws could enable an authenticated adversary to execute arbitrary JavaScript code, commandeer the underlying operating system and use it as a beachhead to launch additional nefarious attacks, trigger a denial-of-service via a specially-crafted HTTP request, and even change the company associated with a user account sans any authorization.
Click to expand...

Rapid7: Multiple Open Source Web App Vulnerabilities Fixed

While it's never great to learn of new vulnerabilities in your own product, all 3 project maintainers accepted, validated, and provided fixes for these vulnerabilities within one day, which is amazing when it comes to vulnerability disclosure.

Now, I'm not sure why open source is just so much faster than the typical proprietary software vuln-patching pipeline, at least for the disclosures I've been involved in. It might be because, in open source, you're almost guaranteed to have your first communication with a hands-on-keyboard software engineer who is personally and emotionally invested in the software; whereas in proprietary land, first contact might be a lightly monitored support alias, staffed by a third-party provider.
Click to expand...

Remediation
For all of these issues, updating to the latest versions of the affected applications will resolve them. If updating is difficult or impossible due to external factors or custom, local changes, users of these applications can limit their exposure by not presenting their production instances to the internet directly — instead, expose them only to trusted internal networks with trusted insiders.

Alternatively, since these applications are open source, users can contact these projects directly for any help needed to backport a fix to their own running version.
Click to expand...

guest · Aug 2, 2021

GitLab’s open source Package Hunter detects malicious code in dependencies
August 2, 2021
https://venturebeat.com/2021/08/02/...unter-detects-malicious-code-in-dependencies/

GitLab recently launched a new open source tool to detect malicious code in software components.

Modern software depends on dozens or hundreds of third-party packages, some which may not be actively maintained or monitored for vulnerabilities. Package Hunter, which integrates directly with GitLab’s continuous integration (CI) platform, runs a project’s dependencies in a siloed testing environment known as a sandbox, and leverages “dynamic behavior analysis” to spot malicious packages that attempt to extract sensitive data or otherwise run unintended code.

“Any suspicious system calls are reported to the user for further examination,” GitLab security research Dennis Appelt wrote in a blog post.
Click to expand...

While the benefits of open source software are well understood, the vast majority of codebases contain at least one known open source vulnerability, according to a recent Synopsys report. Another report also concluded that more often that not, developers don’t bother updating third-party libraries they use in their software.
Click to expand...

guest · Aug 5, 2021

5 Security Measures For Open Source Based Apps
OS-based applications aren’t inherently risky and can be totally secure if you know what to do
August 4, 2021
https://dzone.com/articles/security-measures-for-open-source-based-apps

More and more app development teams are utilizing an Open Source base model, with the majority of developers now turning away from custom code.
And with good reason. Open source allows faster development, more innovation, and lower costs.

OSS seems to be winning the popularity contest, but its prevalence brings unique security risks.
Most businesses don’t understand the implications of using open source, and traditional testing methods struggle to detect threats when they’re vulnerable.
Click to expand...

1. Keep Track of OSS
The first step to keeping on top of security is knowing where the risks are. This is especially crucial for larger companies that might be using a business continuity app, containing sensitive data from potentially hundreds of employees.
2. Check the National Vulnerability Database
Because it’s widely used, vulnerabilities in OSS are constantly being reported and published. The National Vulnerability Database (NVD) is a great source of information, in this regard.
3. Outsourcing and Automation
While the NVD is a great resource, it still has to be checked manually. And keeping one eye on these kinds of updates can be time-consuming, meaning information can easily be missed.
There are a number of useful automation software services that can analyze your code for any obvious vulnerabilities.
Click to expand...

4. Encourage Safety Policies
The first line of defense in online security is people. So, implementing standard security policies for OSS users is a great way to reduce risk.
Make security a priority for all your developers and operators. After all, it’s their daily practices that will pose the greatest risks. Make security part of your regular training schedule, enabling developers to recognize risky practices, and how to avoid them.
5. Stay Up to Date
One of the biggest advantages of OSS is also one of its biggest drawbacks. Namely, it's publicly altered and reported on.
However, as soon as a vulnerability is made public, it’s common knowledge to everybody, including hackers. This means hackers will know how best to attack any OSS that has yet to be patched or is just outdated.

So, the best way to stay ahead of hackers is to make sure you’ve always got the most recent version of OSS, and accept any patches that will eliminate risks.
Click to expand...

guest · Nov 10, 2021

Dependency Combobulator: Open source toolkit to combat dependency confusion attacks
November 10, 2021
https://www.helpnetsecurity.com/2021/11/10/dependency-combobulator-open-source-toolkit/

The toolkit, available on GitHub, allows organizations to safeguard against this newly uncovered type of risk, which has been on the rise this year as a key vector in supply chain attacks targeting dependencies within software packages.

Dependency confusion compromises the open source software ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.
Click to expand...

The toolkit is a Python-based toolkit that supports both the npm and maven package management schemes out-of-the-box, as well as enabling extension into other package management systems. It provides extensibility that enables organizations to adapt to new types of dependency attacks.
Click to expand...

guest · Jan 9, 2022

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps
January 9, 2022

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.
Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.

The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'.
The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.
Click to expand...

Yesterday, users of popular open-source projects, such as Amazon's Cloud Development Kit (aws-cdk) were left stunned on seeing their applications print gibberish messages on their console.
These messages included the text 'LIBERTY LIBERTY LIBERTY' followed by a sequence of non-ASCII characters: [...]

Initially, users suspected that the libraries 'colors' and 'faker' used by these projects were compromised [1, 2, 3], similar to how coa, rc, and ua-parser-js libraries were hijacked last year by malicious actors.
But, in fact, it was the dev behind colors and faker who appears to have intentionally committed the code responsible for the major blunder, as seen by BleepingComputer.
Click to expand...

The reason behind this mischief on the developer's part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.
Click to expand...

stapp · Jan 9, 2022

mood said: ↑

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps
Click to expand...

This is something which is going to have a big impact.

reasonablePrivacy · Jan 9, 2022

mood said: ↑

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps
January 9, 2022
Click to expand...

The ultimate, holy grail (sic!) of insider threats?

guest · Jul 28, 2022

mood said: ↑

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps
January 9, 2022
Click to expand...

Protestware on the rise: Why developers are sabotaging their own code
July 27, 2022

If combating attacks and hijackings of legitimate software on open source registries like npm weren’t challenging enough, app makers are increasingly experiencing the consequences of software self-sabotage.

A developer can, on a whim, change their mind and do whatever they want with their open source code that, most of the time anyway, comes “as is” without any warranty. Or, as seen by a growing trend this year, developers deliberately sabotaging their own software libraries as a means of protest — turning software into “protestware.”
Click to expand...

The recent rise of protestware
A week into 2022, thousands of applications that rely on the heavily used npm projects colors and faker broke and began printing gibberish text on users’ screens. It wasn’t a malicious actor hijacking and altering these legitimate libraries. It turned out the projects’ developer Mark Squires had intentionally corrupted his own work to send a message of protest to big corporations.

Socket’s founder Feross Aboukhadijeh told TechCrunch that registries like GitHub are in a difficult position.

“On the one hand, they want to support maintainers’ right to freedom of expression and the ability to use their platform to support the causes they believe in. But on the other hand, GitHub has a responsibility to npm users to ensure that malicious code isn’t served from npm servers. It’s sometimes a difficult balancing act,” said Aboukhadijeh.
Click to expand...

But Lorenc warns the debate about protestware could draw in copycats who would contribute to the problem and detract open source software defenders from focusing on tackling what’s truly important — keeping malicious actors at bay. And with protestware there remain unknown unknowns. What issue is too small — or too big — for protestware?

While no one can practically dictate what an open source developer can do with their code — it is a power developers have always possessed, but are now just beginning to harness.
Click to expand...

guest · Jan 10, 2023

Researchers Find Security Flaw in JsonWebToken Library Used By 20,000+ Projects
By Alessandro Mascellino @a_mascellino - January 10, 2023

A new high-severity vulnerability has been found in the popular JsonWebToken open-source JavaScript package.
Click to expand...

By exploiting the flaw, an attacker could perform remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request, explained Palo Alto Networks in a Monday advisory.

From a technical standpoint, JsonWebToken, which is developed and maintained by Auth0, allows developers to verify/sign JWTs and is principally used for authorization and authentication purposes.
Click to expand...

At the time of writing, the package has over nine million weekly downloads and over 20,000 dependent projects. Because of this, Palo Alto Networks security researcher Artur Oleyarsh said the team immediately warned Auth0 when it first discovered the vulnerability (tracked CVE-2022-23529) in July 2022.

"Typically, attacks on JWTs will involve different forgery techniques abusing buggy JWT implementations," Oleyarsh wrote.
Click to expand...

At the same time, the Palo Alto Networks researcher clarified that to exploit the vulnerability, an attacker must also take advantage of a flaw within the secret management process. Due to the complexity of the vulnerability, Palo Alto Networks suggested a CVSS score of 7.6.

More generally, the cybersecurity expert said security awareness is crucial when using open-source software.

"Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and it's something the open source community can take part in."
Click to expand...

Palo Alto Networks - Unit42: Disclosing a New Vulnerability in JWT Secret Poisoning (CVE-2022-23529)

By Artur Oleyarsh - January 9, 2023
Executive Summary
Unit 42 researchers discovered a new vulnerability in the popular JsonWebToken open source project. The vulnerability is identified as CVE-2022-23529, rated high severity (CVSS 7.6).

By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request. If you are using JsonWebToken package version 8.5.1 or an earlier version, please update to JsonWebToken package version 9.0.0, which includes a patch for this vulnerability.
Click to expand...

This package plays a big role in the authentication and authorization functionality for many applications.
Click to expand...

Log in or Sign up

Not Managing Open Source Opens Door for Hackers

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

stapp Global Moderator

reasonablePrivacy Registered Member

guest Guest

guest Guest

Log in or Sign up

Not Managing Open Source Opens Door for Hackers

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

stapp Global Moderator

reasonablePrivacy Registered Member

guest Guest

guest Guest

Useful Searches