Apache Software Foundation Releases 2019 Security Report

Apache Software Foundation (ASF) releases its 2019 security report. According to the report, the most notable events of 2019 include increased attacks on Hadoop instances, vulnerabilities in Apache HTTP Server 2.4, and vulnerabilities in older versions of Apache Axis.

According to reports, the report explores the security status of all Apache Software Foundation projects for calendar year 2019. Review key metrics, specific vulnerabilities, and the most common ways as ASF project users are affected by security issues.

Officials say their secure address will receive more than 18,000 emails in 2019. After spam filtering and thread grouping, there are 620 non-spam threads. Of these, 138 (22 percent) of the 620 were people who were confused by Apache licenses, and 162 (26 percent) were neither spam nor reported for new vulnerabilities, often asking questions about support types or how to handle old vulnerabilities.

Apache Software Foundation Releases 2019 Security Report

Figure: 2019 Calendar Year ASF security email threads breakdown

Notable events

There are some events worth discussing in 2019, either because of their severity and high risk, because they are ready-to-use exploits, or because of media attention. These include:

January 2019: Securonix releases a report outlining the increase in the number of attacks on Apache Hadoop instances that have not yet been configured for authentication. There are public exploits and Metasploit modules that enable remote code execution on unprotected Hadoop YARN systems.

April 2019: Vulnerabilities in Apache HTTP Server 2.4 (CVE-2019-0211) have the right to upgrade those privileges to root by users who write scripts on a Web server. This issue has a public exploit.

April 2019: An earlier version of Apache Axis that analyzed files retrieved from an expired domain insecurely, allowing code to be executed remotely (CVE-2019-0227).

June 2019: Jonathan Leitschuh contacts us after discovering that a large number of Java build dependencies are downloaded through an unsecured path, http rather than HTTP. We do not classify these vulnerabilities themselves as security vulnerabilities because exploiting them requires MITM attacks at build time. We work with ASF projects, including those identified by the reporter, to ensure that we use secure URLs. Many repositories now require secure URLs by 2020.

August 2019: The Black Duck Synopsys team reviewed older Struts versions and announcements and found some discrepancies in the reported affected versions. The Struts team will study their findings carefully and post corrections as needed. This may be important if the user is running an older version and they believe that the older versions are not actually affected by the recommendations. However, those same users are likely to be attacked by other issues that have been resolved since then, so we always recommend that users upgrade to the latest version of Struts to ensure that their version contains fixes for all published security issues.

August 2019: Netflix discovers a number of denial-of-service vulnerabilities that affect various HTTP/2 implementations. The ASF project with http/2 implementation was investigated and the reported issues analyzed were analyzed. Both Apache HTTP Server and Apache Traffic Server have released updates to address denial of service issues that affect them. Apache Tomcat also made performance improvements to HTTP/2 treatment, but these issues are not classified as denial of service.

September 2019: RiskSense report highlights vulnerabilities known to be used by ransomware, including four in the ASF project. All four vulnerabilities were fixed in the early years and have available updates and mitigations before any ransomware exploits them. Users should always ensure that they are following security updates in any ASF projectthey they use and prioritize updates for any remote or critical vulnerabilities.

December 2019: A vulnerability in Apache Olingo allows XML External Entity (XXE) attacks (CVE-2019-17554). For example, you can use this issue to retrieve any file from the server. There is an example of public utilization for this issue.

Over the past year, Apache Solr has had a number of vulnerabilities that could allow code to be executed remotely. There are public exploits for certain issues and the Metasploit module.

The European Commission’s EU-FOSSA 2 program sponsors the Vulnerability Bounty Program, where users discover security issues at Apache Kafka and Apache Tomcat. No issues were resolved in Apache Kafka. Two issues were fixed in Apache Tomcat: CVE-2019-0232 (Severity, Impact on the Windows platform, which provides public exploits including the Metasploit module) and CVE-2019-0221 (Low Severity). In addition to offering a vulnerability bounty, EU-FOSSA 2 sponsored a successful hackathon in June 2019.

“The Apache Software Foundation project is highly diverse and independent,” the ASF said. They have different language, community, management, and security models. However, one of the things in common with each project is a consistent process of how to deal with reported security issues”. “The report provides metrics for calendar year 2019, showing that more than 300 vulnerability reports were compiled from the 18,000 emails we received, thus fixing more than 100 (CVE) issues,” it said. “