Open Source Insight:Apache Struts Exploits, Cloudera IPO

Risks & the Next Cybercon Valley

By Fred Bals, Senior Content Writer & Editor 

Seven days into the cruelest month and the redesigned NVD already has 255 CVEs listed, including a slew of discovered vulnerabilities in various Huawei.

This Week’s Key Takeaways

More Open Source News

Other open source security and cybersecurity stories include:  • The German publication Sysbus has a

“security” theme• Open source proto-unicorn Cloudera files for an

IPO• Black Duck at BlackHat Asia 2017• Who’ll be the world’s next cybersecurity

capital• CORD Project is driving network solutions • Anatomy of the Apache Struts vulnerability

Sysbus’ Trend Theme for April is "Security" Part 1

via Sysbus (Germany): "Open source software is the largest application security risk for organizations," said Mike Pittenger, vice president of security strategy at Black Duck." Studies show that organizations are consistently underestimating how many open source components they run, and later reveal vulnerabilities that have existed for several years.

The use of open source will continue to grow because it creates considerable economic opportunities. In order to protect themselves in the future, companies must secure and manage their open source components. "

Cloudera Is the Next Enterprise Tech IPO Based on Open-Source Software

Cloudera plans to raise money to keep scaling its enterprise big data offerings, reports INC. The company dropped its S-1 on Friday, registering its intent to raise $200 million in an IPO. The company's private valuation, based on various reports, is upwards of $4 billion, and it's raised more than $500 million in venture capital. Cloudera plans to trade on the New York Stock Exchange under the ticker symbol CLDR.

The S-1 reveals that revenue was $261 million in the fiscal year that ended in January, while losses were $187.3 million in the preceding year. Cloudera is built around the open-source Hadoop software library, meaning it will be 2017's second enterprise tech IPO based on open-source software, following Mulesoft.

This Open-Source Tech Company’s IPO Filing Reads Like an Argument against Building a Business on Open SourceIn Quartz, AI reporter Dave Gerhgorn lists a dozen reasons why investing in an open-source based company is risky, according to such a company.

“By the terms of certain open source licenses, we could be required to release the source code of our proprietary software, and to make our proprietary software available under open source licenses, if we combine our proprietary software with open source software in a certain manner.”

Cloudera IPO: Risk for Cyberattacks, Lawsuits & Loss of IP?

Black Duck’s Fred Bals takes an in-depth look at the Quartz Cloudera article and examines whether Cloudera is a risky business because it’s value is dependent on open source.“Again, while it is indeed true that some open source license terms could require proprietary code be released as open source itself, the fact that Cloudera acknowledges the issue indicates that it has processes in place to ensure that doomsday scenario doesn’t happen. A much scarier scenario would be the company that doesn’t realize the requirement to comply with the licenses of the open source they use – or worse, doesn’t even realize that they have the open source in their proprietary code. Most open source components are governed by one of about 2,500 known open source licenses, and the license obligations can be tracked and managed only if the open source components themselves are identified.”

From BlackHat Asia: Black Duck Open Source Securityvia DailySecu (Korea) Development using open source for such things as mobile and IOT apps is growing at a tremendous pace. This is a global phenomenon, not limited to Korea. Open source security vulnerabilities and license management are becoming a security concern for enterprises. DailySecu interviewed Eno Chen, Black Duck APAC general manager, to learn more about open source security management.

7 Cities That Could Become the World’s Cybersecurity Capital

via Fortune: The film industry has Hollywood, the banks have Wall Street, and tech has Silicon Valley. But so far the fast-growing cybersecurity industry—slated to pull in more than $100 billion a year by 2020—has no obvious place to call home.If you believe in the theory of economic clusters, popularized in a 1998 HBR article by professor Michael Porter, the cyber business is exactly the sort of industry that could give rise to a regional hub or cluster—a "Cybercon Valley" if you will.

CORD® (Central Office Re-architected as a Datacenter) is a platform leveraging leading edge SDN, NFV and Cloud technologies to build nimble in-line datacenters at the edge of operator networks, blogs Larry Peterson, CTO at ON.Lab and ONF, and Chief Architect at CORD Project.

CORD integrates a curated collection of dozens of leading open source projects, thus making a fully-integrated platform for building innovative solutions available for network operators. Designed to leverage the best of modern DevOps application development methodologies, CORD delivers an open, programmable, agile platform for service creation.

CORD Project: Driving Network Solutions with Open Source

Anatomy of the Apache Struts Vulnerability

Stephen Mort, vulnerability analyst at Black Duck, takes a deep dive into the make-up of CVE-2017-5638, a severe vulnerability in the Struts MVC framework and how the Apache Struts exploits work.“Because of its extensive functionality, Struts is a widely used open source component in web applications. However, these same benefits and Struts’ integration with other frameworks can make upgrades and patches challenging. My goal is to help readers understand how an attacker might exploit this Apache Struts vulnerability.”

Anatomy of the Apache Struts Vulnerability

Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. This is full remote command execution and has been actively exploited in the wild from the initial disclosure.”

Leading Linux distros dawdle as kernel flaw persists

"Due to the ioctl settings on Docker, this shouldn't be executable from within a container," said Patrick Carey of open source security company Black Duck Software. "Obviously if you have access to the container host, all bets are off."

Subscribe

Stay up to date on open source security and cybersecurity – subscribe to our blog today.