Analyse approfondie des principales vulnérabilités de sécurité Open Source pour les équipes DevOps et DevSecOps
2023 JFrog Security Research Report
Destiné aux développeurs, ingénieurs DevOps, chercheurs en sécurité et leaders de la sécurité de l’information, ce rapport fournit de précieuses informations sur les vulnérabilités de sécurité des chaînes d’approvisionnement logicielles. Il vous aide à hiérarchiser vos actions de remédiation en vue de traiter et d’atténuer l’impact éventuel de vulnérabilités connues sur la sécurité des produits et des services. Forte de son positionnement unique qui lui permet d’accéder aux artefacts logiciels utilisés par les entreprises actuelles du classement FORTUNE 100, JFrog présente la première édition de son rapport annuel sur les vulnérabilités et failles critiques (CVE). Ce rapport intègre une analyse approfondie des 10 vulnérabilités les plus répandues en 2022, en détaillant leur niveau réel de gravité et les bonnes pratiques permettant de circonscrire leur impact potentiel. Les vulnérabilités sont classées en fonction du nombre d’artefacts logiciels touchés, du plus élevé au plus faible.
En bref :
Ce rapport propose des informations pertinentes et d’actualité sur les vulnérabilités de sécurité présentes dans les chaînes d’approvisionnement logicielles.
- Il vous aide à hiérarchiser vos actions de remédiation en vue de garantir la sécurité des produits et des services.
- Le positionnement unique de JFrog lui permet d’analyser les vulnérabilités qui touchent les artefacts logiciels utilisés par les entreprises du classement FORTUNE 100.
- Le rapport fournit une analyse approfondie des 10 principales vulnérabilités de 2022, en indiquant leur degré de gravité et en proposant de bonnes pratiques de remédiation.
- Les vulnérabilités sont classées selon le nombre d’artefacts logiciels affectés.
CONTENTS
- Glossary
- Executive Summary
- Key Findings
- JFrog Security Recommendations for 2023
- Vulnerability Analysis and Findings
- #1 CVE-2022-0563 – Data Leakage in util-linux
- #2 CVE-2022-29458 – Denial of service in ncurses
- #3 CVE-2022-1304 – Local privilege escalation in e2fsprogs
- #4 + #5 CVE-2022-42003 / CVE-2022-42004 – Denial of service in Jackson-databind
- #6 CVE-2022-3821 – Denial of service in systemd
- #7 CVE-2022-1471 – Remote code execution in SnakeYAML
- #8 + #9 + #10 CVE-2022-41854 / CVE-2022-38751 / CVE-2022-38750 – Denial of service in SnakeYAML
- Authors Biographies
GLOSSARY
The following terms are used throughout this document.
| CVE | Common Vulnerabilities and Exposures. A glossary that classifies vulnerabilities, managed by the NVD (a U.S government repository of standards). Used in this report to denote “A publicly-known vulnerability, referred to by its unique ID such as CVE-2022-3602” | ||||||||||||
| CVSS | Common Vulnerability Scoring System. A vulnerability severity score ranging from 0 to 10 (most severe), given to each CVE. The score reflects how hard the vulnerability is to exploit and how much damage it can cause once exploited. The score is meant to help users decide which vulnerabilities are crucial to fix. | ||||||||||||
| CNA | CVE Numbering Authority. Groups that are authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. | ||||||||||||
| NVD Severity | The National Vulnerability Database (NVD) severity rating of any CVE, officially defined by its CVSS according to the following ranges –
|
||||||||||||
| JFrog Severity | The severity of the CVE, as defined by JFrog’s Security Research team. The severity uses the following levels – Low, Medium, High, Critical | ||||||||||||
| Affected Artifacts | The number of artifacts present in JFrog’s Artifactory Cloud that have been found vulnerable to a specific CVE. Based on anonymous usage statistics from the JFrog Artifactory Cloud. |
AUTHORS BIOGRAPHIES
Our dedicated team of security engineers and researchers are committed to advancing software security through discovery, analysis, and exposure of new vulnerabilities and attack methods.
Stay up-to-date with JFrog Security Research. Follow the latest discoveries and technical updates from the JFrog Security Research team in our security research blog posts and on Twitter at @JFrogSecurity.
Shachar Menashe
Shachar Menashe is senior director of JFrog Security Research. With over 17 years of experience in security research, including low-level R&D, reverse engineering, and vulnerability research, Shachar is responsible for leading a team of researchers in discovering and analyzing emerging security vulnerabilities and malicious packages. He joined JFrog through the Vdoo acquisition in June 2021, where he served as vice president of security. Shachar holds a B.Sc. in electronics engineering and computer science from Tel-Aviv University.
Yair Mizrahi
Yair Mizrahi is a Senior Vulnerability Researcher at JFrog Security. Mizrahi has over a decade of experience and specializes in vulnerability research and reverse engineering. He is responsible for discovering and analyzing emerging security vulnerabilities. In addition, Mizrahi discovered various zero-days and exploited multiple zero-clicks as an Android vulnerability researcher.
