In August I wrote about a new Apache Struts vulnerability that affected Struts 2.3 and Struts 2.5. Apache Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including (at least at one point in time) the Equifax credit reporting agency. When Equifax did not identify and patch a vulnerable version of Struts, attackers were able to capture personal consumer information, including names, Social Security numbers, birth dates, and addresses of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Equifax Canadian customers.
Last month, during the process of creating the latest Black Duck Security Advisory (BDSA), the security research time at our Cybersecurity Research Center (CyRC) discovered that 23 additional versions of Struts (Struts 2.0.4–2.3.34 and Struts 2.5.0–2.5.16) were also vulnerable to CVE-2018-11776 but were not listed as such by the NVD.
Black Duck subsequently informed the Apache Software Foundation, which in turn quickly updated their page that lists the versions of Struts affected by CVE-2018-11776. Notably, at the time of this writing, the NVD has yet to update their information.
The tl;dr on all the above is this:
Launched in 2005, the National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data managed by the National Institute of Standards and Technology (NIST). The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
The NVD is sometimes confused with the CVE (Common Vulnerabilities and Exposures) list, which was created by MITRE way back in 1999 and is still rocking on today. In actuality, the NVD and CVE are two separate but interconnected entities. The NVD is built on and synchronized with the CVE list, so any updates to CVE appear in the NVD. The CVE reference system assigns each publicly disclosed security vulnerability a CVE identification number. CVE IDs are then provided to researchers, vulnerability disclosers, and information technology vendors, and are also used to communicate with software development teams.
While you’ve probably heard of the NVD and CVE list, you may not be as familiar with the CVE Numbering Authority (CNA). CVE IDs are assigned by the CNA, a group of 90 organizations around the world that includes large corporations like Google and Microsoft.
And there’s the rub. The CNA’s composition means that NVD vulnerability reporting is, unsurprisingly, oriented toward security issues specific to software built and managed by the organizations that compose the CNA. The NVD listed over 14,700 vulnerabilities in 2017. But other reports gave vulnerability totals of over 20,000, with nearly 8,000 of those flying under the NVD radar.
The figures address all known vulnerabilities reported in 2017, but more than 4,800 of those were open source vulnerabilities, continuing a five-year growth trend in known open source vulnerabilities. Over 40,000 open source vulnerabilities have been reported in the past 17 years.
Timeliness is another factor affecting the NVD. There is often a significant time lag between the first disclosure of a vulnerability and the publication of the vulnerability in the NVD, with some research reporting an average 33 days between initial announcement and NVD publication. That time lag presents a huge window of opportunity for malicious actors to take advantage of vulnerabilities.
For example, the Linux vulnerability CVE-2016-5195, popularly known as Dirty Cow, was announced on Oct. 19, 2016. Proof-of-concept code exploiting the vulnerability was available a full two weeks before the Nov. 10 listing for the CVE in the National Vulnerability Database. That’s two weeks where anyone relying on the NVD to stay current with significant vulnerabilities would have been left in the cold.
Customers subscribing to Black Duck have always received vulnerability data from both the NVD as well as a premium vulnerability data feed identifying additional vulnerabilities not cataloged in the NVD. But we felt we could do even better.
Black Duck has released the next stage of deep-sourced vulnerability data that is discovered, curated, analyzed, and published hourly by our CyRC security research teams—the Black Duck Security Advisories (BDSAs).
A BDSA is a classification of open source vulnerabilities identified by the CyRC security research team but not published in the NVD at the time of discovery. BDSAs provide earlier notification of vulnerabilities affecting your codebase (often days or weeks before NIST publishes them in the NVD). They deliver security insight, technical details, and upgrade/patch guidance beyond anything else commercially available today.
With dozens of CyRC security researchers investigating open source project and vulnerability data, we can discover and publish more vulnerabilities quicker than any other commercially available resource, and react with superior agility with earlier notification of vulnerabilities affecting your codebase.
To receive Black Duck Security Advisories, you’ll need to upgrade to Black Duck version 4.4. Contact your Black Duck customer success team for more information. Consider the 23 versions of Struts discovered by the CyRC research team, vulnerable to CVE-2018-11776 and still unlisted in the NVD, and ask yourself:
“How am I protecting my code if I don’t have Black Duck Security Advisories?”