Skip to main content

Using Vulnerable Libraries

Fixing Vulnerable Libraries

About Vulnerable Libraries

What are Vulnerable Libraries?

Vulnerable libraries are software components or modules that contain known security vulnerabilities that can be exploited by attackers. Libraries are typically pre-written code that is designed to perform specific functions or tasks and can be used by developers to build their own applications.

Vulnerable libraries can be introduced in various ways, such as outdated or unsupported libraries, libraries with known security issues, or libraries that have been modified by third-party developers.

Check out this video for a high-level explanation:

What is the impact of Vulnerable Libraries?

Vulnerable Libraries can contain any kind of vulnerability, ranging from moderate to critical risk. In some cases, these vulnerabilities are easily exploitable, even through automation, such as Log4Shell (CVE-2021-44228). This can result in immediate compromise of the application.

A list of the Top 15 Routinely Exploited Vulnerabilities in 2021 can be seen here.

How to prevent Vulnerable Libraries?

To prevent the use of vulnerable libraries, it is important to follow security best practices and implement appropriate security measures, such as:

  • Use up-to-date and supported libraries: Use up-to-date and supported libraries that have been tested for security vulnerabilities and have been updated with security patches.
  • Regularly scan and test libraries: Regularly scan and test libraries for known vulnerabilities, using automated tools and services to identify potential security issues and vulnerabilities.
  • Conduct regular security audits: Conduct regular security audits and code reviews to identify and address potential security issues and vulnerabilities.
  • Monitor alerts and notifications: Monitor alerts and notifications from security vendors and industry groups about potential security risks and vulnerabilities in libraries and other software components.

Ideally, the patch management process ensures that updates are installed on an ongoing basis, to avoid having to install major version updates. Automated test suites can help verify that the application is still working the way it is intended after an upgrade.

References

Taxonomies

Training

Option A: Update the library

  1. Look at the vulnerable component in the GuardRails PR comment.
  2. Identify the right package in the packages.config or *.csproj.
  3. Change the version of the related package to reflect the patched version.
  4. Test to verify that the upgrade doesn't break the app.
  5. Ship it 🚢 and relax 🌴

Option B: Update the library via Nuget

  1. Look at the vulnerable component in the GuardRails PR comment.
  2. Perform either of the following,
    • Package Manager UI: On the Updates tab, select one or more packages and select Update.
    • Package Manager Console: Run the Update-Package command
    • nuget.exe CLI: Run nuget.exe update on the command line.
  3. Verify that the affected packages have been updated to reflect the patched version.
  4. Test to verify that the upgrade doesn't break the app.
  5. Ship it 🚢 and relax 🌴

Option C: When no update is available

  1. Look at the vulnerable package in the GuardRails PR comment
  2. If no update is available then you have 3 choices:
    • Remove the package if it's not needed
    • Replace the package with another one that doesn't contain vulnerabilities
    • Take a closer look at the vulnerability details and create a PR patching it
  3. Test to verify that your actions don't break the app
  4. Ship it 🚢 and relax 🌴
Last updated on by Stefan Streichsbier