A 15-year-old Python tarfile module vulnerability raises concerns about the software supply chain.
The CVE-2007-4559 vulnerability, which is thought to be present in over 350,000 open source projects and to be common in closed-source projects, was the subject of research published by Trellix Advanced Research Center.
AWS, Intel, Facebook, Google, Netflix, and other companies’ frameworks as well as programmes for machine learning, automation, and docker containerization all contain the Python tarfile module, which is a standard module in every project utilising Python.
The flaw can be used to execute arbitrary code or take control of a target device by uploading a malicious file that was created with just two or three lines of basic code.
To promote computing and creativity, open source developer tools like Python are required, and industry cooperation is needed to be protected from known risks. For the purpose of shielding open-source projects from the vulnerability, researchers are aiming to release code via GitHub pull requests.
The full study is accessible at Trellix, and developers can use a free tool on GitHub to see if their applications are vulnerable.
“When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact,” said Christiaan Beek, Head of Adversarial & Vulnerability Research, Trellix. “This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”