Using Vulnerable Libraries
Fixing Vulnerable Libraries
About Vulnerable Libraries
What are Vulnerable Libraries?
Vulnerable libraries are software components or modules that contain known security vulnerabilities that can be exploited by attackers. Libraries are typically pre-written code that is designed to perform specific functions or tasks and can be used by developers to build their own applications.
Vulnerable libraries can be introduced in various ways, such as outdated or unsupported libraries, libraries with known security issues, or libraries that have been modified by third-party developers.
Check out this video for a high-level explanation:
What is the impact of Vulnerable Libraries?
Vulnerable Libraries can contain any kind of vulnerability, ranging from moderate to critical risk. In some cases, these vulnerabilities are easily exploitable, even through automation, such as Log4Shell (CVE-2021-44228). This can result in immediate compromise of the application.
A list of the Top 15 Routinely Exploited Vulnerabilities in 2021 can be seen here.
How to prevent Vulnerable Libraries?
To prevent the use of vulnerable libraries, it is important to follow security best practices and implement appropriate security measures, such as:
- Use up-to-date and supported libraries: Use up-to-date and supported libraries that have been tested for security vulnerabilities and have been updated with security patches.
- Regularly scan and test libraries: Regularly scan and test libraries for known vulnerabilities, using automated tools and services to identify potential security issues and vulnerabilities.
- Conduct regular security audits: Conduct regular security audits and code reviews to identify and address potential security issues and vulnerabilities.
- Monitor alerts and notifications: Monitor alerts and notifications from security vendors and industry groups about potential security risks and vulnerabilities in libraries and other software components.
Ideally, the patch management process ensures that updates are installed on an ongoing basis, to avoid having to install major version updates. Automated test suites can help verify that the application is still working the way it is intended after an upgrade.
References
Taxonomies
- OWASP Top 10 - A06 Vulnerable and Outdated Components
- CWE-1104: Use of Unmaintained Third Party Components
Training
Insecure OpenSSL Library
A vulnerable OpenSSL library has been detected in the Dockerfile.
Rule-specific references:
Option A: Use a secure OpenSSL library
Follow the instructions below:
- Look at the referenced Dockerfile instruction, e.g.
...
RUN wget -O- https://www.openssl.org/source/openssl-3.0.0.tar.gz
...
- Update the version to at least
3.0.7
- Test to verify that the upgrade doesn't break the app
- Ship it 🚢 and relax 🌴