The number of open source software (OSS) vulnerabilities more than doubled in 2019 compared with 2018, a new RiskSense report has shown. Total common vulnerabilities and exposures vulnerabilities (CVEs) reached 968 last year, up from 421 in 2018, a rise of 130%. CVEs have remained at historically high levels into the first three months of 2020 too, suggesting this is a long-term trend.
The report also revealed that it takes an average of 54 days for OSS vulnerabilities to be added to the National Vulnerability Database (NVD) following public disclosure. These delays mean organizations are often exposed to serious application security risks for around two months. The lags were observed across all severities of vulnerabilities, including those rated as ‘critical’ and ones that are weaponized.
The OSS projects that had the most CVEs were the Jenkins automation server (646) and MySQL (624), each of which had 15 weaponized vulnerabilities. While HashiCorp’s Vagrant only had nine CVEs, a very high proportion (six) were weaponized. Other OSS projects that had vulnerabilities that were trending or popular in real-world attacks included Apache Tomcat, Magento, Kubernetes, Elasticsearch and JBoss.
Cross-site scripting weaknesses were the second most common form of vulnerabilities, and the most weaponized. This was followed by input validation issues, which were the third most common and second most weaponized. Additionally, the study showed that some weaknesses, such as deserialization issues (28) and code injections (16) were far less common but remained very popular in active attack campaigns.
“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations,” said Srinivas Mukkamala, CEO of RiskSense. “Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”