October 2021 Summaries
8 posts from JFrog
Filter
Month:
Year:
Post Summaries
Back to Blog
JFrog Security's research team identified two denial of service vulnerabilities, CVE-2021-37136 and CVE-2021-37137, in the Netty framework, which are present in versions 4.1.0 through 4.1.67. These vulnerabilities affect applications using Netty for decompressing user-supplied Bzip2 or Snappy data streams, potentially allowing attackers to exploit the Bzip2 decoder to create a "zip bomb" that exhausts system memory and crashes processes. The issue arises from the decoder's behavior of attempting to decompress an entire file before adding it to the output buffer, leading to memory exhaustion. Netty addressed the vulnerability by updating to version 4.1.68, where the decoder function now returns after processing each chunk, thus preventing the issue. JFrog's testing confirmed that the fix successfully prevents the exploit without requiring additional user interventions, and they expressed gratitude to the Netty maintainers for their prompt resolution.
Oct 26, 2021
468 words in the original blog post.
JFrog Xray versions 3.31 and 3.32 have introduced several new features aimed at enhancing workflow efficiency, productivity, and user experience for developers and DevSecOps teams using JFrog Artifactory. These updates include the ability to clone Xray Reports for quick report replication, perform hot upgrades of Xray High Availability installations without downtime, and set grace periods before failing builds due to violations, which helps manage non-critical issues without halting the CI/CD pipeline. Enhanced dependency scanning and on-demand binary scanning shift security checks earlier in the software development lifecycle, allowing for the detection of vulnerabilities before code is committed to Artifactory. New filtering options for Watches and Ignore Rules improve the management and visibility of relevant data, and an enhancement to the Ignore Rules REST API allows sorting by project. These features are available for users with Artifactory version 7.25.x and higher, and JFrog offers access through a free trial or permanent free subscription with its cloud option.
Oct 21, 2021
824 words in the original blog post.
JFrog has identified a directory traversal vulnerability in CivetWeb, a widely used embeddable web server, affecting versions 1.8 through 1.14. This issue, which can lead to remote code execution if exploited, particularly impacts web applications using CivetWeb's built-in file upload handler. The vulnerability arises from a lack of path traversal sanitization in Linux and OSX builds, allowing malicious file uploads. CivetWeb maintainers have addressed the problem by updating the form-handling code to canonicalize filenames and modify the example code to filter out path separators, adhering to RFC standards. Automated vulnerability scanning technologies, such as JFrog Xray, can identify and assess the applicability of this CVE in software artifacts. The article emphasizes the importance of adhering to RFCs for secure web library implementations and acknowledges CivetWeb's maintainers for their prompt and thorough resolution of the issue.
Oct 19, 2021
1,000 words in the original blog post.
The ongoing competition in the DevOps landscape resembles a modern space race, with significant investments in digital transformation expected to reach $6.8 trillion by 2023. Despite this, research indicates that 70% of companies may fail to reach their goals due to inefficient collaboration. As companies strive to scale DevOps, a critical challenge is ensuring that people and tools work seamlessly together. GitLab, known for its version control system, offers a range of DevOps tools but lacks maturity and integration in some areas, leading to silos within their solutions. In contrast, JFrog emphasizes a binaries-centric approach, asserting that managing and distributing binaries is key to DevOps success. JFrog provides a more comprehensive and integrated platform, supporting numerous package types, automated policies, and distribution solutions. Both platforms offer CI/CD capabilities, but JFrog's Pipelines feature native steps and integrations, enhancing automation. Additionally, JFrog supports high availability, regional geo-replication, and a private distribution network, positioning it as a robust solution for organizations seeking to accelerate and secure software delivery.
Oct 18, 2021
3,573 words in the original blog post.
Prometheus, an open-source monitoring and alerting tool, is widely used by cloud-native organizations for tracking real-time metrics, but historically lacked built-in security features like authentication and encryption. This changed with the introduction of TLS and basic authentication support in version 2.24.0, addressing concerns over exposed sensitive data from publicly accessible endpoints. Despite these updates, many organizations have yet to implement these security measures, leaving considerable operational information vulnerable to unauthorized access. The blog highlights how this exposure can lead to leakage of sensitive data, such as usernames, passwords, and configuration files, often without developers' awareness. It emphasizes the necessity of adopting these security features to protect against data leaks and suggests using external tools like nginx for enhanced security. The blog also encourages organizations to routinely check their Prometheus endpoints for potential data exposure, even if they have implemented the new security features, and to stay informed about security practices through resources like JFrog Xray.
Oct 12, 2021
2,065 words in the original blog post.
JFrog's security research team has identified a code injection vulnerability in Yamale, a widely-used YAML schema validator, under the CVE-2021-38305 designation. The vulnerability arises from the ability of attackers to manipulate the schema file, one of the mandatory parameters for Yamale, to execute arbitrary Python code due to its handling of the eval function. Despite efforts to limit vulnerabilities by restricting built-in functions, attackers can still leverage Python reflection to execute code. Yamale's maintainers addressed the issue by introducing a whitelist to sanitize input before evaluation, although using ast.literal_eval is recommended as a safer alternative. While remote exploitation is theoretically possible if an attacker can control the schema file, such scenarios are rare in production environments. The report highlights the importance of sanitizing eval inputs and praises Yamale's maintainers for their prompt response in addressing the security flaw.
Oct 05, 2021
860 words in the original blog post.
The vulnerability disclosure process is a complex interaction between security researchers and organizations responsible for software or hardware, aimed at identifying and addressing security flaws before they can be exploited by cybercriminals. Security researchers, who often operate independently, can have various motivations such as building relationships with vendors, earning bug bounties, or gaining media attention. Organizations need to manage the disclosure process carefully to mitigate risks, including patching the vulnerabilities, alerting customers, and handling media communications. To improve this process, establishing a clear Vulnerability Disclosure Program (VDP) is crucial, as it helps manage unexpected attack vectors and fosters a cooperative relationship between vendors and researchers. Effective communication, timely security advisories, and clear reporting methods are essential for reducing conflicts and ensuring that vulnerabilities are addressed promptly. Researchers are advised to ensure their testing is legal, provide detailed and understandable reports, and avoid demanding rewards outside of established bug bounty programs. As the software landscape grows more complex, the importance of vulnerability disclosures increases, helping prevent potential breaches that could disrupt operations and damage reputations. The JFrog security research team contributes to this effort by enhancing software security through automated analysis and coordinated disclosures.
Oct 04, 2021
951 words in the original blog post.
Composer 2.0, released on October 24, 2020, offers significant improvements over its predecessor, including up to 50% better performance in speed and memory usage for PHP dependency resolution. This update is particularly impactful given PHP's widespread use, with around 80% of websites incorporating PHP. Artifactory 7.24 supports the transition by accommodating both Composer v1 and v2 standards, allowing teams to migrate at their own pace while maintaining their existing Composer packages. Packagist, the primary PHP Composer registry, has deprecated Composer 1.x by reducing its metadata API update rate and restricting access to unused packages, encouraging developers to adopt Composer v2. Artifactory's new features, such as the Composer v2 metadata API and support for Drupal registries, facilitate seamless integration and improved performance. Users can enable or disable Composer v1 indexing in Artifactory configurations and are advised to update to the latest version of Artifactory to ensure compatibility and optimize package management services.
Oct 01, 2021
843 words in the original blog post.