Vulnerabilities in popular open source projects doubled in 2019

Jenkins and MySQL vulnerabilities have had the most weaponized vulnerabilities in the past five years.

A study that analyzed the top 54 open source projects found that security vulnerabilities in these tools doubled in 2019, going from 421 bugs reported in 2018 to 968 last year.

According to RiskSense's "The Dark Reality of Open Source" report, released today, the company found 2,694 bugs reported in popular open source projects between 2015 and March 2020.

The report didn't include projects like Linux, WordPress, Drupal, and other super-popular free tools, since these projects are often monitored, and security bugs make the news, ensuring most of these security issues get patched fairly quickly.

Instead, RiskSense looked at other popular open source projects that aren't as well known but broadly adopted by the tech and software community. This included tools like Jenkins, MongoDB, Elasticsearch, Chef, GitLab, Spark, Puppet, and others.

RiskSense says that one of the main problems they found during their study was that a large number of the security bugs they analyzed had been reported to the National Vulnerability Database (NVD) many weeks after they've been publicly disclosed.

The company said it usually took on average around 54 days for bugs found in these 54 projects to be reported to the NVD, with PostgreSQL seeing reporting delays that amounted to eight months.

risksense-delays.png

Image: RiskSense

Since cyber-security and IT software companies use the NVD database to create and send security alerts, the delays in reporting resulted in situations where companies remained exposed and open to attacks.

It also allowed threat actors to create and deploy exploits -- resulting in the "weaponization" of a security bug.

RiskSense says that of all the 54 projects it analyzed, the Jenkins automation server and the MySQL database server had the most weaponized vulnerabilities since 2015, both with 15.

risksense-delays-top-exploited.png

Image: RiskSense

"However, large numbers of CVEs don't necessarily translate to equally large amounts of weaponized vulnerabilities," RiskSense said.

While other open source projects had fewer bugs, those bugs were sometimes easier to weaponize, such as the case of Vagrant virtualization software and the Alfresco content management system.

risksense-delays-top-exploited-percentage.png

Image: RiskSense

With open source projects now part of roughly 99% of all commercial software projects, RiskSense argues that improvements are now needed in the way security vulnerabilities are handled inside open source projects, but also by the industry as a whole.

This is more important than ever now because "open source projects are generating new vulnerabilities at a historically rapid pace."