lolloj - Fotolia


Open source vulnerabilities hit VMware

A remote code execution vulnerability in Apache Struts 2 affected four VMware products. Keeping a VMware environment secure goes beyond basic features and tools.

Everything has a dark side, including open source software. VMware and its users found that out firsthand when a developer discovered an Apache Struts 2 vulnerability that affected several VMware products.

Open source vulnerabilities are complicated, so enterprises need to be aware of their potential problems and proactively manage such software.

Apache Struts 2 is an open source web application framework for developing Java applications that has been in use since 2007. The recent Apache Struts 2 vulnerability affected vCenter Server 6.0 and 6.5, vRealize Operations Manager 6.x, vRealize Hyperic Server 5.x, and versions 6.x and 7.x of the Horizon Desktop-as-a-Service Platform.

If a hacker were to successfully exploit the Apache Struts 2 vulnerability -- deemed "critical" by VMware -- he could compromise whichever VMware product his intended target is using.

The growing open source conundrum

Open source threats are becoming more common for a couple of reasons. Corporations and vendors like VMware are under pressure to update software quickly. Open source is valuable because it lowers development costs and speeds up time to market.

"The threat potential depends on how an enterprise application uses open source solutions and what security tools are in place," said Peter Lindstrom, vice president of security research at IDC.

In a worst-case scenario for a VMware user, an opening in vCenter Server would give an attacker the proverbial keys to a customer's VMware kingdom -- basically, free rein to all of the customer's data.

Organizations can deploy open source software quickly because it is accessible. The user's staff does not write and test the software, either, thereby reducing development costs. Finally, there are a lot of free open source products.

Because of these benefits, many applications use open source. Black Duck Software Inc., a security software vendor based in Burlington, Mass., conducts hundreds of open source code audits annually and found that 96% of the 1,071 applications it analyzed in 2016 contained open source code.

Developers create open source products transparently, so there is no mystery behind the code and how it functions. However, the transparency also benefits hackers, who often spend a lot of time trying to figure out how proprietary software functions so they can exploit it.

Also, increasingly, software vendors mix and match elements from different sources, blending proprietary and open source code. As vendors add to existing software, such as vCenter Server, the code base grows more complex. In fact, commercial applications nowadays contain hundreds of millions of lines of code. As a result, customers don't always know which open source components a vendor's software contains.

Consequently, some VMware customers need help identifying specific open source components. Vendors, such as Black Duck Software, nexB and Rogue Wave Software offer automated tools to identify open source code.

Remediation complexity increases

Companies often automatically push out new versions of commercial software to users, but open source follows a pull support model. Here, the user -- in this case, VMware -- is responsible for keeping track of any open source vulnerabilities and fixes.

"Having another pair of eyes look at its software might help vendors deliver more secure code," said Marco Alcala, CEO at Alcala Consulting, which delivers IP services to SMBs.

Remediation requires more steps. First, the open source group has to fix the problem and ensure the software works. Then, the vendor has to take the update, incorporate it into its product and ensure its software still runs.

Apache patched the Apache Struts 2 vulnerability on March 6, and VMware responded with its own fixes about a week later.

Potential problems arise

Security vulnerability fixes don't always go smoothly. A supplier could be unaware that its software relies on vulnerable code, doesn't have the resources available to fix the problem or just assumes someone else already tested the software and focuses on other development work.

As a result, many customers run versions of open source software with known vulnerabilities. This is a growing problem: Black Duck found that more than 60% of applications contain open source vulnerabilities.

In some cases, the vulnerabilities lie in wait for years, and the potential damage is enormous. Lindstrom pointed to Heartbleed, a flaw in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. The Heartbeat Extension for TLS introduced the bug when it went unnoticed and a developer implemented the code into OpenSSL's source code. A member of Google's security team reported the bug in April 2014.

Because the software is widely used, many high profile problems arose. Community Health Systems, the second largest for-profit U.S. hospital chain, had up to 4.5 million patient records compromised; Canada Revenue Agency reported a theft of taxpayers' social insurance numbers; and hackers hijacked user accounts and impersonated the CEO of U.K. parenting site Mumsnet.

Open source helps vendors and businesses deliver software faster and cheaper, but it creates new security challenges. VMware customers should invest in testing tools and incorporate more open source security testing into their application deployment processes.

Next Steps

Juggling the benefits and pitfalls of open source

How VMware uses open source to push cloud native apps

What is the open source alternative to VMware vShield Zones?

Dig Deeper on Securing a VMware environment