The Apache Software Foundation (ASF) has released a new report examining key metrics, specific vulnerabilities, and top security issues across its projects last year. The latest news also notes all of the major security events that posed risks to its projects. According to the report, last year, the first serious security event was an issue in Tomcat, CVE-2020-1938 that was later named “Ghost,” which affected Tomcat installations that exposed an unprotected AJP Connector untrusted networks. Now, various proof-of-concept exploits are public for this issue, including a Metasploit exploit.
In May, The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2017-5638, the remote command execution (RCE) vulnerability in Apache Struts 2 disclosed and fixed in 2017, to the Top 10 Routinely Exploited Vulnerabilities list. In July, versions of Apache Guacamole 1.1.0 were vulnerable to RDP issues, notably when a user connected to a malicious or compromised RDP server.
Also, a vulnerability in Apache Struts could lead to arbitrary code execution when an attacker injected Graph Navigation Language (OGNL) expressions into an attribute was found.
IN NOVEMBER, the ASF released an internal tool that enabled projects dealing with security issues to edit, validate, and submit their entries to Mitre rather than each project is solely responsible for writing up their CVE entries and introducing them to Mitre was the case before.
THE REPORT EXPLAINED THAT the ASF also released a new automation API, and the ASF became the first organization to get a live CVE name using it. ASF added that it would be expanding automations this year to streamline the CVE process.
In addition, the foundation reported from the 18,000 emails it received; it triaged more than 370 vulnerability reports relating to projects and fixed 151 CVE issues.
“Apache Software Foundation projects are highly diverse and independent. They have different languages, communities, management, and security models. However, one of the things every project has in common is a consistent process for how reported security issues are handled. The ASF Security Committee works closely with the project teams, communities, and reporters to handle issues quickly and correctly. The foundation stated that this responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted,” the foundation stated.