A recent study found critical vulnerabilities in the commonly used open-source components in commercial off-the-shelf (COTS) IT products, that probably has less stringent regulation by the Federal government.
The white paper by GrammaTech and Osterman Research found a wide-ranging use of open-source components in the COTS products and said that meeting and email client COTS products are the most vulnerable.
“Many open-source components contain a range of known vulnerabilities that can be used as egress points for cyberattacks. Lack of awareness of open-source components used by organisations in commercial off-the-shelf software increases the security risk, attack surface, and potential for compromise by cybercriminals,” reads the study.
Among the applications analysed in groups of five, 30 percent of all the open-source components contained at least one vulnerability that has already been identified as a common vulnerability and exposure. The email and meeting tools have the “highest average weighting” of vulnerabilities, which is concerning given their widespread use across organisations.
Of the components identified across the applications analyzed by CodeSentry and used in this study, two versions of the firefox open-source component (not the browser itself) contributed 75.8% of the CVEs. In second place, 16 versions of openssl had a combined 9.6% of the CVEs, and two versions of libav were 8.3% of the CVEs. These numbers are derived by counting the number of vulnerabilities in each component when a component is used in an application.
The study also found that newer COT products were not always more secure. In analysing some products with multiple versions, the updated versions were not always safe than predecessors.
The openssl open-source component presented with vulnerabilities in 16 different versions. Version 1.0.2d was the earliest version (51 vulnerabilities), and 1.1.1i was the latest (4 vulnerabilities). While the drop from 51 to 4 vulnerabilities is commendable, new major versions (e.g., 1.1.0 and 1.1.1) have presented with a higher number of vulnerabilities than the stepwise previous version.
Just three of the applications studied did not have some sort of critical vulnerability found.