Total vulnerabilities in OSS more than doubled in 2019 from 421 Common Vulnerabilities and Exposures (CVEs) in 2018 to 968 last year, according to a RiskSense report.
Top 10 weaponized CWEs
The study also revealed that it takes a very long time for OSS vulnerabilities to be added to the National Vulnerability Database (NVD), averaging 54 days between public disclosure and inclusion in the NVD. This delay can cause organizations to remain exposed to serious application security risks for almost two months.
These very long lags were seen across all severities including vulnerabilities rated as ‘Critical’ and those that were weaponized, meaning those where an exploit is present in the wild.
“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations,” said Srinivas Mukkamala, CEO of RiskSense.
“Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”
OSS vulnerabilities doubled in 2019
The number of published open source CVEs more than doubled compared to any previous year. Vulnerabilities increased 130% between 2018 and 2019 (from 421 to 968 CVEs), and was 127% higher than 2017 (435). This increase does not appear to be a flash in the pan since the number of new CVEs has remained at historically high levels through the first three months of 2020.
NVD disclosure latency is dangerously long
Vulnerabilities in open source software are taking an extremely long time to be added to the U.S. NVD. The average time between the first public disclosure of a vulnerability and its addition to the NVD was 54 days.
The longest observed lag was 1,817 days for a critical PostgreSQL vulnerability. 119 CVEs had lags of more than 1 year, and almost a quarter (24%) had lags of more than a month. These lags were consistent across all severities of vulnerabilities, with critical severity vulnerabilities having some of the longest average lag times.
Jenkins & MySQL have the most vulnerabilities
The Jenkins automation server had the most CVEs overall with 646 and was closely followed by MySQL with 624. These two OSS projects also tied for the most weaponized vulnerabilities (those for which exploit code exists) with 15 each.
By contrast, HashiCorp’s Vagrant only had 9 total CVEs, but 6 of them were weaponized, making it one of the most weaponized open source projects in terms of percentage. Meanwhile, Apache Tomcat, Magento, Kubernetes, Elasticsearch, and JBoss all had vulnerabilities that were trending or popular in real-world attacks.
XSS and Input Validation
Cross-Site Scripting (XSS) and Input Validation weaknesses were both some of the most common and most weaponized types of weaknesses in the study. XSS issues were the second most common type of weakness, but were the most weaponized.
Likewise Input Validation issues were the third most common and second most weaponized. Input Validation and Access Control issues were both common and were seen trending in real-world attacks.
Projects by percent of weaponized CVEs
Rare does not equal less dangerous
Some weaknesses were far less common, yet remained very popular in active attack campaigns. Deserialization Issue (28 CVEs), Code Injection (16 CVEs), Error Handling Issues (2 CVEs), and Container Errors (1 CVE) were all seen trending in the wild.
The fact that these issues are rare in OSS is a positive sign for the security of open source code, but also serves as a reminder that when problems do arise they can be attacked quite broadly.
Providing real-world context
Open source software now represents a significant percentage of the average organization’s attack surface. And while open source has many benefits, managing vulnerabilities can pose unique challenges.