Apache Software Foundation warns its patching efforts are being undercut by use of end-of-life software
14 January 2022 at 15:01 UTC
Updated: 14 January 2022 at 15:05 UTC
Non-profit shares metrics in its latest annual security review of 350-plus projects
The Apache Software Foundation (ASF) has warned that its efforts to respond rapidly to security vulnerabilities are being undermined by organizations running end-of-life versions of Apache software.
The warning came as part of the ASF’s latest annual review of security across the Apache ecosystem, which revealed that the non-profit had received 441 reports of potential new vulnerabilities in 2021 across 99 top-level projects.
That figure represents a 17% rise in submissions reaching triage compared to 2020 (376 reports) and 38% on 2019 (320).
The reports ultimately accounted for 183 CVEs – up 21% on 2020 (151) and 50% on 2019 (122) – that included the bombshell Log4j vulnerability in December and a number of other flaws affecting multiple projects.
Fifty of the 441 reports, sent by both project maintainers and external security researchers, were still under triage by the end of the year – meaning they had yet to be assigned a CVE or rejected as invalid. This number was higher than expected due to a spike in reports at the tail end of December, said the ASF.
“While the ASF often gets updates for critical issues out quickly, reports show that users are being exploited by old issues in ASF software that have failed to be updated for years, and vendors (and, thus, their users) still make use of end-of-life versions which have known unfixed vulnerabilities,” said Mark Cox, ASF vice president of security.
“This will continue to be a big problem and we are committed to engaging on this industry-wide problem to figure out what we can do to help.”
White House summit
The fact supply chain weaknesses reside downstream as well as upstream was among the points made by the ASF in a position paper published ahead of its attendance yesterday (January 13) at a White House-hosted virtual summit focused on open source security.
The ASF said it also received 135 emails reporting ‘flaws’ in the Apache website in 2021 that were nearly all “false positives”.
The ASF’s report highlighted other noteworthy Apache vulnerabilities and developments in 2021, unsurprisingly this included the notorious Log4j bug.
It also flagged a cross-site scripting (XSS) flaw in Apache Velocity that was disclosed prematurely in January after a months-long delay between a fix being developed and the corresponding patch being released.
The ASF welcomed research into novel HTTP/2-exclusive threats impacting the Apache HTTP Server (CVE-2021-33193) published in August, and the addition of Apache Airflow, Apache HTTP Server, and Apache Commons to HackerOne’s Internet Bug Bounty program in October.
Despite the resource constraints inherent in a volunteer-staffed organization, Mark Cox said the ASF continues to achieve “a consistent process for how reported security issues are handled” among more than 350 diverse, independent Apache projects, and reserves the right to archive projects that fall short.