720-891-1663

Return to list of client alerts

Beware, Patching Bugs in Open Source Software is Your Problem

ONLY AS AN EXAMPLE, the Apache Foundation has released 3 patches this month to one product, Log4J and today issued a patch for the Web server, HTTPD (see below).

Many organizations run a lot of open source software, for example all Linux distributions are open source.

Also, there may be open source COMPONENTS inside of commercial software that your software vendor is using. This is very common. For example, every major software vendor from Cisco to VMWare has said that at least some of their products are vulnerable to the Apache Log4j bug that has been everywhere in the news this past week.

Unfortunately, it is your responsibility to KNOW what open source software is running in your company and, in many cases, it is your responsibility to find the patch and figure out how to deploy it.

The best way to deal with this is to have a complete software inventory of EVERYTHING that is running in your company and then, on top of that, to know what software components are inside each of those software products. The second task is somewhat hard for open source software and software that you build yourself, but much harder for commercial software.

But, if you don’t do it, as we saw with SolarWinds, the hackers get it and it is very hard to remove them.

Deal with the issue now, or deal with it later. Later will be much, much more expensive.

DETAILS OF THE APACHE SOFTWARE FOUNDATION BUGS THIS MONTH

If it was not bad enough that there was a major bug in Apache’s Log4j, then the patch didn’t fix the problem and then researchers found a denial of service, so they had to do a third release of the Log4j software within a week.

Now the Apache web server (HTTPD) has two critical bugs. The bugs can lead to either a denial of service attack or a security bypass.

The first bug is easy to exploit, does not require any authentication and can be launched remotely according to VulDB. Kind of a triple threat.

They also say that not all servers are vulnerable because you might not be using the affected module (it might not be enabled).

Since there is a lot of press about this, hackers will quickly be looking to see which websites are vulnerable and establishing a beach head. That way, even if the server gets patched, they will remain inside, being able to remotely control it and steal any data.

Credit: Threatpost and US CERT

Copyright © 2025 CyberCecurity, All rights reserved. Privacy Policy