In-Depth Analysis of Open Source Security Vulnerabilities Most Impactful to DevOps and DevSecOps Teams
2023 JFrog Security Research Report
EXECUTIVE SUMMARY
This report is designed to provide developers, DevOps engineers, security researchers, and information security leaders with timely, relevant insight on the security vulnerabilities aiming to inject risks into their software supply chains. The information provided herein will help you make more informed decisions on how to prioritize remediation efforts to address and mitigate the potential impact of all known software vulnerabilities, to ensure your products and services are secure.
JFrog is in a unique position to detail the impact of security vulnerabilities on software artifacts actually in use within today’s FORTUNE 100 companies. Thus the JFrog Security Research team compiled this first edition of the JFrog annual Critical Vulnerability Exposures (CVEs) report providing an in-depth analysis of the top 10 most prevalent vulnerabilities of 2022, their “true” severity level, and best practices for mitigating the potential impact of each. The vulnerabilities contained herein are sorted from high to low based on the number of software artifacts they impacted.
Methodology
As a designated CNA, the JFrog Security Research team regularly monitors and investigates new vulnerabilities to understand their true severity and publishes this information for the benefit of the community and all JFrog customers. This report is based on a sampling of the vulnerabilities most often detected in the calendar year 2022 via anonymous usage statistics from the JFrog Platform.
Each vulnerability includes a summary of the commercial status and severity of the issue, plus an in-depth analysis of each vulnerability, which exposes several new technical details about its impact on today’s enterprise systems. This should enable security teams to better evaluate if they are actually impacted by each issue. This analysis constructs the JFrog Security Research severity rating for each of the top 10 most prevalent CVEs in 2022, outlines the notable lessons learned from each, and offers guidance to help increase your security posture for 2023.
In addition to each in-depth CVE assessment, this report provides a trend analysis of the total number of CVEs from previous years that affected the same software components to help deduce which software components are likely to remain vulnerable in 2023.
CONTENTS
- Glossary
- Executive Summary
- Key Findings
- JFrog Security Recommendations for 2023
- Vulnerability Analysis and Findings
- #1 CVE-2022-0563 – Data Leakage in util-linux
- #2 CVE-2022-29458 – Denial of service in ncurses
- #3 CVE-2022-1304 – Local privilege escalation in e2fsprogs
- #4 + #5 CVE-2022-42003 / CVE-2022-42004 – Denial of service in Jackson-databind
- #6 CVE-2022-3821 – Denial of service in systemd
- #7 CVE-2022-1471 – Remote code execution in SnakeYAML
- #8 + #9 + #10 CVE-2022-41854 / CVE-2022-38751 / CVE-2022-38750 – Denial of service in SnakeYAML
- Authors Biographies
GLOSSARY
The following terms are used throughout this document.
| CVE | Common Vulnerabilities and Exposures. A glossary that classifies vulnerabilities, managed by the NVD (a U.S government repository of standards). Used in this report to denote “A publicly-known vulnerability, referred to by its unique ID such as CVE-2022-3602” | ||||||||||||
| CVSS | Common Vulnerability Scoring System. A vulnerability severity score ranging from 0 to 10 (most severe), given to each CVE. The score reflects how hard the vulnerability is to exploit and how much damage it can cause once exploited. The score is meant to help users decide which vulnerabilities are crucial to fix. | ||||||||||||
| CNA | CVE Numbering Authority. Groups that are authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. | ||||||||||||
| NVD Severity | The National Vulnerability Database (NVD) severity rating of any CVE, officially defined by its CVSS according to the following ranges –
|
||||||||||||
| JFrog Severity | The severity of the CVE, as defined by JFrog’s Security Research team. The severity uses the following levels – Low, Medium, High, Critical | ||||||||||||
| Affected Artifacts | The number of artifacts present in JFrog’s Artifactory Cloud that have been found vulnerable to a specific CVE. Based on anonymous usage statistics from the JFrog Artifactory Cloud. |
AUTHORS BIOGRAPHIES
Our dedicated team of security engineers and researchers are committed to advancing software security through discovery, analysis, and exposure of new vulnerabilities and attack methods.
Stay up-to-date with JFrog Security Research. Follow the latest discoveries and technical updates from the JFrog Security Research team in our security research blog posts and on Twitter at @JFrogSecurity.
Shachar Menashe
Shachar Menashe is senior director of JFrog Security Research. With over 17 years of experience in security research, including low-level R&D, reverse engineering, and vulnerability research, Shachar is responsible for leading a team of researchers in discovering and analyzing emerging security vulnerabilities and malicious packages. He joined JFrog through the Vdoo acquisition in June 2021, where he served as vice president of security. Shachar holds a B.Sc. in electronics engineering and computer science from Tel-Aviv University.
Yair Mizrahi
Yair Mizrahi is a Senior Vulnerability Researcher at JFrog Security. Mizrahi has over a decade of experience and specializes in vulnerability research and reverse engineering. He is responsible for discovering and analyzing emerging security vulnerabilities. In addition, Mizrahi discovered various zero-days and exploited multiple zero-clicks as an Android vulnerability researcher.
