Apache Software Foundation released 2019 annual security report

According to the report, the report shows all the security status of the Apache Software Foundation project in 2019. Review of key indicators, specific vulnerabilities and ASF projects by the most common way affect the user's security issues.

Apache Software Foundation released 2019 annual security report


January 2019: Securonix released a report outlining the increase Apache Hadoop instances of attacks, these attacks are not configured authentication. And means for using the public Metasploit remote code execution on yarn systems Hadoop unprotected.

April 2019: a defect Apache HTTP Server 2.4 (CVE-2019-0211) is. Users can write scripts on a Web server can enhance these privileges to root. This problem has a loophole open.

April 2019: a defect older versions of Apache Axis, the defect resolved from expired domain search unsafe file that allows remote code execution (CVE-2019-0227).

August 2019: Black Duck Synopsys team examined the older version of Struts and warnings found that there are some differences in the affected version of the report. Struts team studied their findings, and where necessary published a correction. If the user is running an older version not affected by problem-based warnings, which may be important, but in fact they really influenced. However, these users may be susceptible to other problems that have been fixed, so we always recommend that users upgrade to the latest version of Struts, in order to ensure that they have a security issue contains all the published version of repair.

August 2019: Netflix found a denial of service vulnerability affecting a large number of various HTTP / 2 implementation. On / 2 ASF project contains HTTP implementations were investigated and analyzed. Apache HTTP Server and Apache TrafficServer have released an update to address the impact of their denial of service issue. Apache Tomcat also HTTP / 2 processing performance improvements, but these problems are not part of a denial of service.

September 2019: RiskSense report highlights known to be extortion software vulnerabilities, including four ASF projects. The four vulnerabilities are repaired in the early years, before any ransomware to use them, they have to update and mitigation measures. Users should always make sure to update any concern about the safety of their use of ASF projects and give priority to update any remote or critical vulnerabilities. The four defects are:

  1. CVE-2016-3088 ActiveMQ at Apache. To XBash as the goal, this problem can easily be exploited. It was repaired in Active MQ 5.14.0 and can be mitigated.
  2. CVE-2017-12615 Tomcat on Apache. See this problem on the list is surprising because it affects a non-default and is not likely to defect. However, this is an issue to Lucky ( "Satan" variant), so if there is a server configured in this manner, it will be exposed. This problem only affects the Windows platform in a non-default configuration, it got fixed in Tomcat 7.0.81, and can be mitigated. Note, Lucky will perform a brute-force attacks against weak passwords for accessible Tomcat Web management console.
  3. CVE-2017-5638 in the Apache Struts. After we all know, this issue will be exploited in the wild, but the first use in the repair and issued recommendations found. By Lucky (Satan variant) used. It has been repaired in the Struts 2.3.32 and, but also an improvement.
  4. CVE-2018-11776 In the Apache Struts. This problem has also been Lucky use. In Struts 2.3.35,2.5.17 get it repaired, it may be eased, but it is recommended to upgrade.

December 2019: Apache Olingo allow XML external entity (XXE) attack flaw (CVE-2019-17554). For example, you can use this issue to retrieve any files from the server. To solve this problem using a public example.

Apache Solr many flaws could allow remote code execution. Metasploit modules are some problems and there is a common vulnerability.

European Commission EU-FOSSA 2 project sponsor some bug reward programs to help users find security problems in Apache Tomcat and Apache Kafka's. Apache Kafka did not fix any problems.

Guess you like

Origin www.linuxidc.com/Linux/2020-02/162208.htm