Insecure Open Source Code Means Software Stacks Are Vulnerable: Painlessly Fix the Problem with Alkemist:Repo

Posted on August 7, 2020
Author: RunSafe Security

The debate surrounding the security of open source code is sure to continue for years to come, but given that 50% of vulnerabilities in open source code often go unmitigated (even after four years), organizations remain exposed. 

The usage of open source is nearly unavoidable today and it’s becoming an integral part of any software development effort. Moreover, enterprises typically deploy a  variety of open source software stacks. The most common of these stacks is often referred to as “LAMP,” but there are countless others,  including tools that don’t fall into a specific stack. While each stack offers its own unique benefits, it also comes with its own inevitable set of vulnerabilities.  Like any piece of software, open source is not immune to software bugs, many of which manifest themselves as vulnerabilities..

Additionally, even though 85% of open source security vulnerabilities have a patch available, more than 50% of open source deployments don’t receive it for one reason or another, ultimately leaving them open to attack. 

 

LAMP stack…it’s under attack!

The “LAMP” stack was one of the first of its kind and remains the most commonly used stack. Consisting of Linux as the operating system, Apache as the web server, MySQL as the database, and PHP as the programming language, LAMP is a classic layered architecture that is able to host a variety of popular web applications, such as WordPress, Wikipedia, and Drupal.  I威而鋼
t also offers a great amount of flexibility, such as support for multiple operating systems. 

So what are some of the specific vulnerabilities that exist within the LAMP stack? 

According to cvedetails.com and its categorization of vulnerabilities, most fall into three categories: memory corruption, overflow, and code execution.

Here are a few examples:

LAMP Stack    CVE # Details
Linux CVE-2016-7117       Remote code execution via a malicious MPLS packet
CVE-2016-10229 Remote code execution via malicious UDP packets
Apache CVE-2019-10097 Stack buffer overflow that could be exploited by a trusted proxy server
CVE-2014-0226 A race-condition in mod_status allows for a heap-based buffer overflow
MySQL CVE-2014-0001 Buffer overflow from a long server version string
CVE-2016-0546 Unspecified buffer overflow
PHP CVE-2019-9025 Buffer overflow opportunity as a result of invalid multi-byte string regex processing
CVE-2016-2554 Stack buffer overflow in PHP’s processing of TAR archives

 

One of the primary vulnerabilities found throughout the stack is Common Vulnerability and Exposure (CVE) 2015-0235, otherwise known as “GHOST.” It was named after the system functions where the vulnerable code was found and the vulnerability itself is a buffer overflow that was a bug in the GNU C Library (GLIBC). This vulnerability exists on nearly every Linux system and is also loaded into almost every application, placing them all at risk.

Security and Memory Threats

Other Stacks: MEAN, ELK and/or Elastic

In addition to the LAMP stack, it’s also important to note the presence and popularity of the MEAN and ELK software stacks. The first was coined “MEAN,” in 2013 by Valeri Karpov. It refers directly to its composition of MongoDB, Express.js, AngularJS, and Node.js and offers the benefit of being entirely written in JavaScript, easily deployable, and cost-effective. Additionally, the MEAN stack is the perfect candidate for cloud hosting and developing cloud-native applications and has been adopted by large enterprises, including PayPal, Netflix, and Uber, in order to assist with tasks like expense tracking, location finding, and news aggregation. 

The other software stack was previously known as “ELK,” but is now mostly referred to as the Elastic Stack. Drawing its name from the Elasticsearch, Logstash, and Kibana components, the recent addition of Beats completed the group to where it is today. Growing exponentially in popularity in open source circles, Elastic Stack is now used by organizations like Box, Walmart, and Pfizer. This is because it offers numerous benefits in the log analytics space that were previously left unfulfilled by other stacks, whether it’s the analysis of these logs, scraping and visualizing data, or even allowing for a full text search option.

 

What to Do About It?

The numerous vulnerabilities across some of the most popular open source software stacks may lead most non-technical users, and even some developers or security teams, to perceive that open source code is inherently insecure and to be avoided. That said, open source software isn’t all doom and gloom. These vulnerabilities only signal to users that there are indeed cyber risks involved, similar to every aspect of technology, but there are other tools and processes specifically designed to mitigate these risks. 

Frequently installing updates, prioritizing secure coding, and using automated tools to detect and remove potential flaws as quickly as possible in the development process are just a few ways to mitigate the risks associated with open source usage. Regardless of the specific tool used to harden open source software against vulnerabilities, organizations that utilize LAMP and the other software stacks should keep up-to-date on the risks involved in order to keep development and innovation running smoothly, securely, and without error.

What if there was a way to fix insecure code directly, without developer friction or a performance hit?

 

What’s the Best Way to Dramatically Reduce your Attack Surface?

Alkemist:Repo by RunSafe Security offers pre-hardened open source packages with built-in protections from several attack methods.  This dramatically reduces the attack surface across whatever stack an organization uses.

So, the answer depends on your role.

For Enterprise IT Managers

  • Download pre-hardened binaries of your favorite open source code
  • Choose from Apache, NGINX, memcached, redis, node.js, python, and more
  • No change in functionality or performance, but security built-in

For Cloud Workload Protection Platforms

  • Gartner declares memory protection a must-have in Cloud Workload Protection Platforms
  • Dramatically reduce attack surfaces of deployed software by at least 60-70%
  • Dramatically reduce your customers’ exposure to the most severe cyber attacks

Alkemist:Repo offerings are pre-hardened with Alkemist LFR technology. Deploy the same way you do today, with just one change to use the hardened file from RunSafe’s repository instead of the original open source repo. Images are original supplier based and will work as drop-in replacements requiring no user rework or additional configuration changes outside of changing a file pointer.

Every open source update adds new zero-day vulnerabilities, unknown risks that add overhead for scanning, testing, unplanned patching, and downtime. Alkemist:Repo adds patented runtime cyber protections directly into the open source code, guaranteeing that every image is functionally identical but logically unique. This automatically secures your critical IT infrastructure from the most common and severe types of cyber attacks.

Click here to register for Alkemist:Repo now!

 

RunSafe Security’s 2025 Product Security Predictions

RunSafe Security’s 2025 Product Security Predictions

Product security has come a long way since  the early 2000s to the current iterations we’re seeing today. From CISA’s focus on Secure by Design to the growing emphasis on software supply chain security, software manufacturers, software buyers, and regulatory...

read more