The Apache Software Foundation (ASF) has released a new report examining key metrics, specific vulnerabilities and top security issues across its projects last year. The new report also notes all of the major security events that posed risks to its projects.
According to the report, the first serious security event last year was an issue in Tomcat, CVE-2020-1938 that was later named “Ghostcat,” which affected Tomcat installations that exposed an unprotected AJP Connector to untrusted networks. Now, various proof-of-concept exploits are public for this issue, including a Metasploit exploit.
In May, the The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2017-5638, the remote command execution (RCE) vulnerability in Apache Struts 2 disclosed and fixed in 2017 to the list of Top 10 Routinely Exploited Vulnerabilities list.
In July, versions of Apache Guacamole 1.1.0 were found to be vulnerable to issues in RDP, notably when a user connected to a malicious or compromised RDP server.
Also, a vulnerability in Apache Struts that could lead to arbitrary code execution when an attacker injected Graph Navigation Language (OGNL) expressions into an attribute was found.
The ASF released an internal tool in November that enabled projects dealing with security issues a way to edit, validate, and submit their entries to Mitre rather than each project being solely responsible for writing up their own CVE entries and submitting them to Mitre, which was the case before.
The ASF also released a new automation API and the ASF became the first organization to get a live CVE name using it, the report explained. ASF added that it will be expanding automations this year to streamline the CVE process.
In addition, the foundation reported from the 18,000 emails it received, it triaged more than 370 vulnerability reports relating to projects and fixed 151 CVE issues.
“Apache Software Foundation projects are highly diverse and independent. They have different languages, communities, management, and security models. However one of the things every project has in common is a consistent process for how reported security issues are handled. The ASF Security Committee works closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly. This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted,” the foundation stated.
The full security report from Apache is available here.