Top 5 New Open Source Security Vulnerabilities in August 2019

As summer wanes away, some of us heave a sigh of relief while others take one last weekend at the beach before autumn settles in. One thing we all have in common is open source, and one thing all open source components have in common is security vulnerabilities. That’s why rain or shine, Labor Day or labor-intensive week, our Knowledge Team combed our open source vulnerabilities data to bring you the top 5 new open source security vulnerabilities in August.

The WhiteSource database continuously aggregates known open source security vulnerabilities from a number of respected resources like the National Vulnerability Database (NVD), as well as other public, peer-reviewed security advisories, and issue trackers so that we can collect and deliver the most comprehensive data published about known open source security vulnerabilities.

From Linux to Kubernetes, from Go to Bower, August’s top 5 includes some of the most popular open source projects in use, maintained by active, enthusiastic, and ever-expanding communities. Regardless of the programming language, framework or technology you use, you’re going to want to stay on top of August’s new known open source vulnerabilities.

#1 Linux kernel

CVE-2019-15292

Vulnerability Score: Critical — 9.8

Affected versions: prior to 5.0.9.

Given the size of the community and the volume of code, it’s no surprise that a lot of community resources are invested in discovering issues in this OG open source project and swiftly fixing them. It appears the community worked as hard as ever in August, publishing a whopping 32 new open source security vulnerabilities in the Linux kernel.

This issue is one of two critical vulnerabilities from the impressive August haul. According to the ubuntu security notice, it was discovered that the Empia EM28xx DVB USB device driver implementation contained a use-after-free vulnerability when disconnecting the device. The notice further states that an attacker could use this to cause a denial of service (system crash).

Make sure to check to see if you’re using a vulnerable version, and read more about this Linux kernel security issue and its fix here, here, and here.

#2 Go

CVE-2019-14809

Vulnerability Score: Critical — 9.8

Affected versions: before 1.11.13 and 1.12.x before 1.12.8

It wasn’t that long ago that we put a spotlight on Go’s top 5 known vulnerabilities, and here is another one to add to the list. The Google Go team proved that younger projects are also putting in the work, and published this highly critical vulnerability. This parsing validation issue in Go’s net/url leads to an authorization bypass in some applications. The vulnerability could allow hackers to compose a crafted javascript:// URL that results in a hostname of google.com.

Google’s Go programming language is a relatively young open source project that’s quickly becoming a favorite. Developers love Go because it helps them work on large projects that require high-level networking and multiprocessing, not to mention its general readability and usability. Since its release in 2012, Go has been adopted by major players like Netflix, Uber, and CloudFlare, to name a few. As the community of Go users continues to grow, so does the number of disclosed vulnerabilities, which is why it’s important to stay updated on any newly published issues and version updates.

You can read more about this issue and its fix here, and here.

#3 OpenCV

CVE-2019-14492, CVE-2019-14491

Vulnerability Score: High — 8.2

Affected versions: before 3.4.7 and 4.x before 4.1.1

This is yet another example of a large well-established open source project that’s been doing its security work. Two new vulnerabilities in OpenCV, the popular computer vision and machine learning software library.

CVE-2019-14492 is an out of bounds read/write vulnerability, and CVE-2019-14491 is an out of bounds read vulnerability, and both could lead to a denial of service attack.

OpenCV provides a common infrastructure for computer vision applications, and their documentation states that the project was created with the goal of accelerating the use of machine perception in commercial products. So far the company seems to be achieving its goal: the project boasts over 18 million downloads, and is used extensively in companies, research groups and by governmental bodies for some cutting-edge computer vision and machine learning projects. Some of the more familiar names among OpenCV users are Google, Yahoo, Microsoft, Intel, IBM, Sony, Honda, and Toyota, demonstrating once again how today, it’s hard to find an industry that doesn’t harness the power of open source to deliver their goods.

Considering how popular and widely used this project is, if your organization is dealing with computer vision and machine learning, it’s best to make sure that you're using an updated version of OpenCV.

Read more about both of the issues on GitHub, here, here, and here

#4 Kubernetes

CVE-2019-11248

Vulnerability Score: High — 8.2

CVE-2019-11247

Vulnerability Score: High — 8.1

CVE-2019-11246

Vulnerability Score: Medium — 6.5

Here is yet another wonder-child of the golden age of open source that’s taking care of its security business. Three new serious Kubernetes vulnerabilities were disclosed this month.

The first vulnerability, CVE-2019-11248, was discovered in the debugging endpoint of Kubelet’s healthz port, in versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10. According to the issue published on GitHub, this debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service.

Want to know more? Here’s more information about this issue and its fix.

Next, CVE-2019-11247 affects Kubernetes versions 1.7.x-1.12.x, 1.13.0-1.13.8, 1.14.0-1.14.4, and Kubernetes 1.15.0-1.15.1. According to the Kubernetes security announcement, an API server allows access to custom resources via the wrong scope. This could allow a user with limited access to create, view update or delete the cluster-scoped resource.

You can read more about the issue on GitHub.

The third and final Kubernetes issue from August that we’re highlighting this month is CVE-2019-11246. It impacts versions prior to 1.12.9, to 1.13.6, and to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11. According to the Kubernetes security announcement, this vulnerability was discovered in the Kubernetes kubectl cp command and could enable a directory traversal so that a malicious container could replace or create files on a user’s workstation. The advisory categorizes this issue as high-severity and recommends upgrading kubectl to Kubernetes 1.12.9, 1.13.6, and 1.14.2 or later.

Read more about this serious issue on GitHub.

We probably don’t need to remind you that Kubernetes adoption is at an all-time high and doesn’t seem to be slowing down. Sadly, users often forget that along with its many benefits, integrating Kubernetes into development also requires a new set of security practices. Make sure you’re using updated versions of Kubernetes if you want to continue enjoying the speed of DevOps without losing at the security game.

#5 Bower

WS-2019-0178

Vulnerability Score: Medium — 5

Affected versions: prior to 1.8.8

Ah, Bower, users still want to bundle with you, even though you’ve been recommending they migrate to Yarn and webpack or Parcel for nearly two years.

According to the release note on GitHub, this newly discovered issue in Bower could allow attackers to write arbitrary files on filesystem when Bower extracts a malicious package. The note strongly recommends users update their Bower version to 1.8.8.

Bower is a popular package management system for static content used by client-side web applications. While Bower’s maintainers have been advising users to migrate away from Bower, and use other package managers for new front-end projects for quite some time, there are still many Bower users out there, and the number of downloads from npm is still high, at over 340k a week.

Over 30% of JavaScript open source vulnerabilities are published on community issue trackers and advisories outside of the NVD, and this is one of them. That’s why the issue’s ID starts with a WS prefix and not with a CVE, and it serves as a reminder that tracking only one source for information on new open source vulnerabilities, even if it’s as comprehensive as the NVD, is not enough.

If you're using an outdated version of Bower, make sure to update as soon as possible. You can find the updated and secure version of Bower on GitHub.

School Yourself on Open Source Security

There you have it folks, quite a doozy of a list, including some of the most basic building blocks that our technologies run on, as well as libraries that we’re using to create the most innovative software products of tomorrow.

All of the open-source projects featured in August’s list of top 5 new open source security vulnerabilities are maintained by large and dedicated communities that clearly invest in finding and fixing security vulnerabilities to ensure that the software we’re using and building is safe. It’s up to us to keep abreast of all of the security updates that the open source community is working hard to churn out.

Considering how much we rely on these open source components, it’s impossible to track all of the versions in use, or all of the newly disclosed security vulnerabilities, let alone their fixes. That’s why comprehensive open source vulnerabilities management needs to leverage automated tracking and remediation tools in order to ensure that any vulnerable open source components in our codebase are addressed as early as possible in the development process.

Want to catch up on open source vulnerabilities which could have slipped by in 2019? Check out our top open source vulnerabilities page to see if there are any that you might have missed.

See you next month when we pull together the top list for September. Until then, enjoy the last rays of sun, and update your open source components and make sure the vulnerabilities are taken care of.