Apache Software Foundation releases security report 2019

The Apache Software Foundation (ASF) released the “Apache Software Foundation Security Report: 2019”. According to the report, the most notable events in 2019 include increased attacks on Hadoop instances, vulnerabilities in Apache HTTP Server 2.4, and vulnerabilities in older versions of Apache Axis.

According to reports, the report shows the security status of all Apache Software Foundation projects in 2019. Review of key metrics, specific vulnerabilities, and the most common ways that ASF project users are affected by security issues.

Highlight

• January 2019: Securonix published a report outlining an increase of attacks of Apache Hadoop instances that have not been configured with authentication.  Public exploits and a Metasploit module exist to perform remote code execution on unprotected Hadoop YARN systems.
• April 2019: A flaw in Apache HTTP Server 2.4 (CVE-2019-0211).  A user who has access to write scripts on a web server could elevate those privileges to root.  A public exploit is available for this issue.
• April 2019: A flaw in older versions of Apache Axis that parsed a file retrieved insecurely from an expired domain, allowing remote code execution (CVE-2019-0227).
• June 2019: Jonathan Leitschuh contacted us after finding a number of Java build dependencies were being downloaded over insecure paths (i.e. HTTP rather than HTTPS).  We did not classify these as security vulnerabilities in themselves as exploiting them would require MITM attacks at build time.  We worked with ASF projects including those identified by the reporter to ensure that we use secure URLs.  Now, in 2020, a number of repositories are requiring secure URLs.
• August 2019: The Black Duck Synopsys team reviewed older Struts releases and advisories and found some discrepancies in the reported affected versions.   The Struts team worked through their findings and issued corrections where needed.  This can be important if users are running older versions that they don’t think are affected by an issue based on the advisories, but they actually are.  However, those same users are likely vulnerable to the other issues that have since been fixed and so we’d always recommend users upgrade to the latest version of Struts to ensure they have a version that contains fixes for all the published security issues.
• August 2019: Netflix found a number of denial of service vulnerabilities affecting various HTTP/2 implementations. ASF projects containing HTTP/2 implementations were investigated and analysed the issues reported. Both Apache HTTP Server and Apache TrafficServer released updates to address denial of service issues that affected them.  Apache Tomcat also made performance improvements to HTTP/2 handling but the issues were not classed as denial of service.
• September 2019: A RiskSense report highlighted vulnerabilities known to be used by Ransomware which included four in ASF projects.  The four vulnerabilities were all fixed in earlier years and all had updates and mitigations available before any ransomware took advantage of them.  Users should always ensure they pay attention to security updates in any ASF projects they use and prioritise updating for any remote or critical vulnerabilities. The four vulnerabilities were:

  — CVE-2016-3088 in Apache ActiveMQ.  Targeted by XBash, this issue was trivial to exploit.  It was fixed in Active MQ 5.14.0 and mitigation was also available.

  — CVE-2017-12615 in Apache Tomcat.  It is surprising to see this issue on the list as it affects a non-default and quite unlikely flaw.  However, it’s an issue that is probed by Lucky (a variant of “Satan”), so if there is a server configured in this way it will get exposed. This issue only affected Windows platforms on non-default config, it was fixed in Tomcat 7.0.81, and mitigation is also available.  Note that Lucky will also do brute force attacks targeting weak passwords on  accessible Tomcat Web Admin consoles.

  — CVE-2017-5638 in Apache Struts.  This issue is known to be exploited in the wild, however the first exploitation was discovered after the advisory and fix was published.  Used by Lucky (a variant of Satan).  It was fixed in Struts 2.3.32 and 2.5.10.1, and a mitigation is also available.

  — CVE-2018-11776 in Apache Struts.  This issue is also used by Lucky.  It was fixed in Struts 2.3.35, 2.5.17, a possible mitigation is available but upgrading is advised.

• Dec 2019: A flaw in Apache Olingo allowing XML External Entity (XXE) attacks (CVE-2019-17554).  This issue could be used, for example, to retrieve arbitrary files from a server.  A public exploit example exists for this issue.
• A number of flaws in Apache Solr through the year that could allow remote code execution.  Public exploits exist for some of the issues as well as a Metasploit module.
• The European Commission EU-FOSSA 2 project sponsored bug bounty programs for users finding security issues in both Apache Kafka and Apache Tomcat.  No issues were fixed in Apache Kafka.  Two issues were fixed in Apache Tomcat: CVE-2019-0232 (Important severity, affecting Windows platforms, public exploits including a Metasploit module are available) and CVE-2019-0221 (Low severity).   As well as running the bug bounties, EU-FOSSA 2 also sponsored a successful hackathon in June 2019.