Open Source vulnerabilities are an unfortunate fact of life. Vulnerable Open Source component downloads are up 12% over last year, and breaches involving OSS are up 55% year over year, according to our 2018 State of the Software Supply Chain Report. To say that getting ahead of the threat is imperative, would be an understatement.
Many organizations find out about their vulnerable components when one of those components becomes headline news. Then the race is on to determine which components are being used in business critical projects, and how to take corrective action before a breach. The process is painstaking, frustrating and above all, time consuming.
At Sonatype, our team of 65 data analysts meticulously track open source vulnerabilities and the component and sub-component versions they impact. With our new monthly series, Nexus Intelligence Insights, we hope to shed light on some of the less known vulnerabilities as well as other industry related news.
Our goal is to help organizations stay well informed and ahead of the open source software threat. Whether you’re a developer or involved in AppSec in general, Nexus Intelligence Insights is meant to put practical and actionable intelligence at your fingertips.
For our inaugural insight, we chose to take a deep dive look at Apache Tomcat CVE-2017-5647. Often, only the more ubiquitous vulnerabilities with higher severity scores make the news or are talked about broadly. But many times, the less severe vulnerabilities can wreak havoc on development teams by undermining trust in the way data is accessed and handled. This is true of CVE-2017-5647, an information disclosure vulnerability that on the surface might appear less threatening, but can potentially expose sensitive data not meant for the users who can inadvertently (or deliberately) access it.
We also chose this older vulnerability to showcase this month, because of the prominence score and ease of accidental exploit.
So hello, and welcome. We hope you enjoy this new series and look forward to your feedback.
Do you have a topic or a vulnerability you’d like us to cover? Get in touch: firstname.lastname@example.org