This was extracted (@ 2024-12-18 21:10) from a list of minutes
which have been approved by the Board.
Please Note
The Board typically approves the minutes of the previous meeting at the
beginning of every Board meeting; therefore, the list below does not
normally contain details from the minutes of the most recent Board meeting.
WARNING: these pages may omit some original contents of the minutes.
Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).
October
* This is the first Security board report that includes
project-specific health concern notes in the public part of the
report.
* Some press stories about old security vulnerabilities, such as
Log4Shell and RocketMQ. There was also some coverage of more
recent disclosures, like for recent Avro and OFBiz
vulnerabilities.
https://www.bloomberg.com/news/newsletters/2024-10-09/hackers-still-target-outdated-software-flaw-despite-available-fixes
https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/
https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html
https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severity.html
* A flaw in OFBiz, CVE-2024-38856 which was reported by a large number
of seemingly-independent researchers, was added to CISA's Known
Exploited Vulnerabilities catalog (KEV).
* We've taken further inventory of which projects are already
publishing Software Bill of Materials (SBOM) information for their
published artifacts. For visibility and experimentation, we're
aggregating SBOMs in a GitHub repo and publish an interactive
graph of relationships between artifacts from different projects.
https://github.com/apache/security-site/tree/sboms
https://sbom.security.apache.org/
This sparked some discussion on the security-discuss list on how to
provide accurate and complete SBOMs, which led to an upstream
discussion for the cyclonedx-maven-plugin.
https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/472
Stats for October 2024:
32 [license confusion]
20 [report/question relating to dependencies]
13 [support request/question not security notification]
Security reports: 76 (last months: 72, 64, 88)
16 ['website or other infrastructure']
10 ['fineract']
7 ['huntr']
6 ['airflow']
4 ['httpd']
3 ['superset']
2 ['kafka', 'vlc']
1 ['activemq', 'arrow', 'carbondata', 'cloudstack', 'cwe', 'doris',
'guacamole', 'hertzbeat', 'hive', 'jackrabbit', 'libcloud',
'logging', 'manifoldcf', 'mina', 'mynewt', 'openjpa', 'ponymail',
'rocketmq', 'seata', 'shiro', 'solr', 'spamassassin', 'spark',
'tomcat', 'website', 'zeppelin']
In total, as of 1st November 2024, we're tracking 175 (last months:
179, 176) open issues across 63 projects, median age 107 days (last
months: 69, 95). 62 of those issues have CVE names assigned.
15 (last month: 20) of these issues, across 9 projects, are older
than 365 days.
Updates for projects with 'amber' or 'red' health status:
* ambari (Health amber): patchy responsiveness to security team over
reported issues. PMC states this is due to a very small
community. We have advised them to seek help from experts outside
the PMC on a case by case basis (Last update: 2024-10-14)
* commons (Health amber): One issue in Commons is over 365 days old
(Last update: 2024-10-15)
* fineract (Health amber): the PMC has been attempting to engage more
of the wider Fineract ecosystem to help triage, fix and release
security issues, but with limited effect so far. (Last update:
2024-11-01)
* geode (Health red): Four issues in Geode over 365 days old. The
project has voted to move to the Attic, but there might be a chance
of revisiting that decision if relevant stakeholders successfully
join the effort. (Last update: 2024-11-01)
* hive (Health amber): Three issues in Hive are over 365 days old
(Last update: 2024-10-01)
* oozie: not making releases (Health red): Project appears dormant. An
issue in Oozie is over 365 days old. We are at the first step of the
formal escalation process. (Last update: 2024-11-02)
* openoffice (Health amber): Three issues in OpenOffice over 365 days
old and a number of other open issues not fully triaged. (Last
update: 2024-10-25)
September - We've continued working on capturing health scorecard data for projects Stats for September 2024: 72 security reports (last months: 64, 88, 61) 37 license confusion 14 support request/question not security notification 4 report/question relating to dependencies In total, as of 1st October 2024, we're tracking 179 (last months: 176, 183) open issues across 69 projects, median age 69 days (last months: 95, 98). 66 of those issues have CVE names assigned. 20 (last month: 21) of these issues, across 9 projects, are older than 365 days.
August: - We've continued working on formally documenting our process for reminders, actions and escalations when projects don't respond to security issues in a timely manner. The aim is to make this clear and consistent, and then start applying it more widely to any unhealthy projects - We're working on capturing health scorecard data for projects and will start to report that to the board from next month. The aim is for board reports to show you the projects that have red flags and the current state of security team handling of the situation. We will focus less on the automated metrics, which we will continue to collect and will summarise in our yearly security report as well as the annual report. This month has a reduced summary below as an example. The health status can be combined with other health data the board has access to, such as from the direct board reports from the project, to help decide on any additional remedial actions needed. - CVE-2024-38856 an authorization flaw which has been fixed in Apache OFBiz was added to the NIST KEV (Known Exploited Vulnerabilities) list. - Stats for August 2024: 64 security reports (last months: 88, 61, 51) 38 license confusion 15 support request/question not security notification 5 report/question relating to dependencies In total, as of 1st September 2024, we're tracking 176 (last months: 183, 198) open issues across 66 projects, median age 95 days (last months: 98, 108). 56 of those issues have CVE names assigned. 21 (last month: 17) of these issues, across 10 projects, are older than 365 days.
- Published a blog post to announce the completion of the audit
of three Commons components coordinated through OSTIF
at https://security.apache.org/blog/commons-audit/ .
- Published some high-level information about our formal escalation
policies when a PMC is not responsive to security issues as
https://cwiki.apache.org/confluence/display/SECURITY/Project+Security+Response+Formal+Escalation
- Published a public statement on how the ASF is different to a
'vendor' on topics such as Service Level Agreements, Data Processing,
compliance statements and provenance.
https://security.apache.org/blog/data-processing-compliance-statements-and-sla/
- Work on OpenSSF Scorecards: one identified change that would
increase the score across the ASF would be to configure GitHub
projects to enable branch protection by default, explicitly
opting out of this for CTR projects. We determined what would
be needed for this and summarized it in INFRA-25908.
- Looked into leveraging GitHub "Dependency Submission" content
to collect (primitive) SBOM information for projects that don't
publish bespoke SBOM information yet.
Stats for July 2024:
43 [license confusion]
16 [support request/question not security notification]
2 [report/question relating to dependencies]
Security reports: 88 (last months: 61, 51, 61)
16 ['website or other infrastructure']
13 ['airflow']
6 ['httpd']
4 ['cloudstack', 'superset']
3 ['answer', 'openoffice']
2 ['cordova', 'deloitte', 'jspwiki', 'linkis', 'mynewt']
1 ['abuse', 'ambari', 'ant', 'arrow', 'cveprocess', 'dolphinscheduler', 'drill', 'druid', 'echarts', 'guacamole', 'hadoop', 'hertzbeat', 'hive', 'logging', 'netbeans', 'ofbiz', 'ozone', 'pinot', 'poi', 'ponymail', 'rocketmq', 'roller', 'seata', 'shiro', 'spark', 'tomcat', 'wicket', 'zeppelin', 'zookeeper']
In total, as of 1st August 2024, we're tracking 183 (last months:
198, 185) open issues across 68 projects, median age 98 days
(last months: 108, 91). 45 of those issues have CVE names
assigned.
17 (last month: 15) of these issues, across 9 projects, are older
than 365 days.
June:
- We continue working with projects to publish 'security model'
information on their websites, this month TVM and HugeGraph.
- Work on OpenSSF Scorecards and Best Practices Badges: getting
an overview of how Apache repositories score and looking at
which across-the-board changes would have most impact.
- Arnout participated in Community over Code EU and the Tomcat
Security Day
- Look into ways to publish security policy/contact and EOL
information about projects, possibly leveraging DOAP. and work
towards publishing our own advisories in OSV format as well as CVE.
Stats for June 2024:
21 [license confusion]
13 [support request/question not security notification]
10 [report/question relating to dependencies]
Security reports: 62 (last months: 51, 61, 108, 78)
7 ['airflow']
5 ['website or other infrastructure']
4 ['superset']
3 ['openoffice']
2 ['beam', 'commons', 'hive', 'hop', 'httpd', 'trafficserver']
1 ['age', 'allura', 'answer', 'apisix', 'apr', 'arrow', 'axis', 'brooklyn', 'cloudstack', 'cnvd', 'geode', 'groovy', 'hugegraph', 'james', 'kafka', 'linkis', 'mynewt', 'nifi', 'ofbiz', 'ranger', 'seatunnel', 'shardingsphere', 'subversion', 'syncope', 'tomcat', 'tvm', 'unomi', 'usergrid', 'wicket']
In total, as of 1st July 2024, we're tracking 198 (last months:
185, 191) open issues across 70 projects, median age 108 days
(last months: 91, 75, 73). 63 of those issues have CVE names
assigned.
15 (last month: 13) of these issues, across 8 projects, are older
than 365 days.
May:
- An older Flink CVE, CVE-2020-17519, has been added to CISA's Known
Exploited Vulnerabilities (KEV) catalog.
- We continue working with projects to publish 'security model'
information on their websites, this month Ignite.
- We have cross-referenced our CVEs with the advisories in GitHub's
advisory database (used for tools such as dependabot), and
added additional metadata in some cases.
- Further refined our internal 'reminders, actions and escalations'
workflow/guidelines, with the intent to make some of the advanced
escalations more formal and public.
- Work on OpenSSF Scorecards and Best Practices Badges
- Preparations for advisories for remaining Submarine security
reports, as this project is moving to the Attic.
- Experimented with Guac for giving projects more incentive to
produce SBOMs
- Provided further feedback on the report for the audit of three
Commons components coordinated through OSTIF.
- Worked with the Zeppelin project to try and involve more people in
their security process, to avoid falling behind again.
Stats for May 2024:
25 [license confusion]
11 [support request/question not security notification]
6 [report/question relating to dependencies]
Security reports: 51 (last months: 61, 108, 78, 86)
7 ['zeppelin']
6 ['httpd']
5 ['tomcat']
4 ['airflow']
3 ['activemq', 'hc', 'logging', 'website or other infrastructure']
2 ['cxf', 'fineract', 'hertzbeat', 'qpid', 'solr']
1 ['allura', 'ambari', 'commons', 'commons-ostif', 'dubbo', 'eventmesh', 'flink', 'fury', 'maven', 'ofbiz', 'pulsar', 'ranger', 'royale', 'struts', 'superset', 'vince', 'wicket']
In total, as of 1st June 2024, we're tracking 185 (last months:
191, 197) open issues across 67 projects, median age 91 days
(last months: 75, 73, 82). 62 of those issues have CVE names
assigned.
13 (last month: 12) of these issues, across 8 projects, are older
than 365 days.
- We worked with the Zeppelin team to get a large number of advisories
published, some very old. This is a great milestone in getting the
Zeppelin project back to health security-wise, and the challenge is
now to keep this momentum and involve more of the Zeppelin community
to remain in shape.
- We have iterated on our reminders, actions and escalation workflow
for projects that are struggling to respond to security reports. We
expect to further formalize some of those steps into a public
escalation policy.
- Further preparations for wrapping up the OSTIF-coordinated Commons
audit.
- Further monitoring of the xz
issue. https://security.apache.org/blog/cve-2024-3094/
Stats for April 2024:
31 [license confusion]
24 [support request/question not security notification]
8 [report/question relating to dependencies]
Security reports: 61 (last months: 108, 78, 86, 70, 74)
7 ['zeppelin']
6 ['httpd']
5 ['tomcat']
4 ['airflow']
3 ['activemq', 'hc', 'logging', 'website or other infrastructure']
2 ['cxf', 'fineract', 'hertzbeat', 'qpid', 'solr']
1 ['allura', 'ambari', 'commons', 'commons-ostif', 'dubbo',
'eventmesh', 'flink', 'fury', 'maven', 'ofbiz', 'pulsar', 'ranger',
'royale', 'struts', 'superset', 'vince', 'wicket']
In total, as of 1st May 2024, we're tracking 191 (last months:
197, 173) open issues across 68 projects, median age 75 days
(last months: 73, 82). 54 of those issues have CVE names
assigned.
12 (last month: 22) of these issues, across 7 projects, are older
than 365 days.
- We performed work on the xz backdoor issue known as CVE-2024-3094,
co-ordinating with others and PMCs and published and updated a blog
about it. https://security.apache.org/blog/cve-2024-3094/
- We coordinated with other vendors on a industry wide HTTP/2 protocol
issue.
- We published a blog post on how we credit people who report security
issues. https://security.apache.org/blog/cve-2024-3094/
- We initiated a retrospective of a security report where multiple
organisations were involved, where we shared some recommendations on
how to resolve the issue more smoothly next time.
Stats for March 2024:
40 [license confusion]
14 [support request/question not security notification]]
11 [report/question relating to dependencies]
Security reports: 108 (last months: 78, 86, 70, 74)
11 ['airflow']
10 ['website or other infrastructure']
9 ['dolphinscheduler']
6 ['commons', 'streampark']
4 ['pulsar']
3 ['cxf', 'hugegraph', 'openoffice', 'shenyu', 'streampipes', 'superset']
2 ['activemq', 'answer', 'cloudstack', 'guacamole', 'iotdb', 'paimon', 'site', 'solr', 'struts', 'submarine']
1 ['any23', 'cordova', 'db', 'directory', 'doris', 'dubbo', 'fury', 'httpd', 'impala', 'james', 'kafka', 'karaf', 'kylin', 'nifi', 'ofbiz', 'seata', 'servicecomb', 'shindig', 'sling', 'spark', 'steve', 'tomcat', 'velocity', 'xmlgraphics']
In total, as of 1st April 2024, we're tracking 197 (last
months: 173, 199) open issues across 63 projects, median age 73
days (last months: 82, 90, 119). 61 of those issues have CVE names
assigned.
22 (last month: 23) of these issues, across 7 projects, are older
than 365 days.
- Apache Archiva retired to the Attic with a number of open security
reports. We took care of publishing advisories for those.
- Apache Ambari has published advisories for all issues that were
previously briefly prematurely disclosed by a third party. We're
still planning a retrospective to ensure the communication
expectations are understood.
- We looked into the Cc/Reply-to issue that is causing issues with
emails not being delivered to GMail mailboxes, which also affects
security reports.
- We reviewed the preliminary report of the OSTIF audit of several
Apache Commons components and provided feedback.
- We worked with the Santuario project to improve the messaging around
the XML Security for C++ project.
- We provided input to Infra on how to improve the security and
privacy of Apache project websites by applying an Apache-wide
default Content-Security-Policy header (INFRA-25518).
Stats for Feb 2024:
46 [license confusion]
14 [support request/question not security notification]
10 [report/question relating to dependencies]
Security reports: 78 (last months: 86, 70, 74, 76)
11 ['airflow']
5 ['dolphinscheduler']
4 ['tomcat']
4 ['website or other infrastructure']
3 ['pulsar', 'spark', 'superset']
2 ['cloudstack', 'commons', 'db', 'guacamole', 'linkis',
'trafficserver', 'tvm' ]
1 ['answer', 'apisix', 'apr', 'arrow', 'aurora', 'beam',
'camel', 'datafu', 'dubbo', 'flex', 'flink', 'groovy',
'httpd', 'ibb', 'kafka', 'lucene', 'lucenenet',
'mahout', 'mesos', 'mxnet', 'parquet', 'qpid',
'shenyu', 'servicecomb', 'storm', 'streampipes',
'submarine', 'tribes', 'velocity', 'wicket',
'zeppelin']
In total, as of 1st March 2024, we're tracking 173 (last
months: 199, 175) open issues across 67 projects, median age 82
days (last months: 90, 119). 61 of those issues have CVE names
assigned.
23 (last month: 28) of these issues, across 8 projects, are older
than 365 days.
- Deployments that are vulnerable because they did not change the default
keys in Apache Superset appear to be actively exploited. The project has
removed the default keys from recent versions, and published CVE-2023-27524
for this issue, which was included in the CISA Known Exploited
Vulnerabilities (KEV) database.
- We have integrated the experimental Apache OIDC 2FA provider to give access
to our experimental SBOM platform to all Apache volunteers.
- We provided input for a number of press pieces on OFBiz issue
CVE-2023-51467
- We worked with Google to improve access to Commons oss-fuzz results
Stats for Jan 2024:
30 [license confusion]
19 [support request/question not security notification]]
12 [report/question relating to dependencies]
Security reports: 86 (last months: 70, 74, 76)
13 ['airflow']
7 ['website or other infrastructure']
5 ['superset']
4 ['commons', 'dolphinscheduler', 'tomcat']
3 ['answer', 'inlong', 'maven']
2 ['ambari', 'camel', 'dubbo', 'fineract', 'hive', 'httpd', 'nifi', 'ofbiz', 'zeppelin']
1 ['brpc', 'cisa', 'cocoon', 'druid', 'flink', 'groovy', 'hc', 'hop',
'ignite', 'iotdb', 'kafka', 'kudu', 'mynewt', 'openjpa', 'pdfbox',
'roller', 'santuario', 'seata', 'servicecomb', 'sling',
'streampipes', 'struts']
In total, as of 1st February 2024, we're tracking 199 (last
months: 175, 180) open issues across 64 projects, median age 90
days (last months: 119, 122). 73 of those issues have CVE names
assigned.
27 (last month: 29) of these issues, across 9 projects, are older
than 365 days.
- The Tomcat project has been onboarded in the HackerOne Internet Bug
Bounty (IBB) program, meaning reporters who are credited in Tomcat
CVEs can now claim a bug bounty from that program.
- Struts published a fix for a critical vulnerability, CVE-2023-50164
(S2-066) which attracted some attention online.
- OFBiz published a fix for a critical vulnerability CVE-2023-49070
and update CVE-2023-51467 which is being exploited
https://www.bleepingcomputer.com/news/security/apache-ofbiz-rce-flaw-exploited-to-find-vulnerable-confluence-servers/
Stats for Dec 2023:
30 [license confusion]
16 [support request/question not security notification]]
10 [report/question relating to dependencies]
Security reports: 70 (last months: 74, 76, 66)
12 ['airflow']
9 ['website or other infrastructure']
5 ['ofbiz']
4 ['httpd']
3 ['hugegraph', 'superset', 'tomcat']
2 ['james', 'streampark', 'struts']
1 ['answer', 'camel', 'cassandra', 'commons', 'flink',
'geode', 'guacamole', 'helix', 'hive', 'hop', 'inlong',
'kylin', 'linkis', 'openjpa', 'openoffice', 'seata', 'shiro',
'sling', 'solr', 'streampipes', 'submarine', 'whimsy',
'zeppelin']
In total, as of 1st January 2024, we're tracking 175 (last
months: 180, 183) open issues across 61 projects, median age 119
days (last months: 122, 116). 56 of those issues have CVE names
assigned.
29 (last month: 22) of these issues, across 11 projects, are older
than 365 days.
The board trusts the security team to follow through on the plan in place for Zeppelin.
- A fix for a serious issue in ActiveMQ (CVE-2023-46604) has been
released, but unfortunately it seems installations that have not
been upgraded are actively exploited. The issue has been added to
the CISA Known Exploited Vulnerabilities (KEV) Catalog.
- Based on input from various parts of the ASF, we have formulated a
response to the White House Office of the National Cyber Director
(ONCD) Request for Information (RFI) on "Open-Source Software
Security and Memory Safe Programming
Languages". https://www.regulations.gov/comment/ONCD-2023-0002-0106
- We have worked closely with DolphinScheduler to get back to security
health. While there is still significant work to do, the project
has been active and we are confident they will turn things around.
- We have worked with the Logging team supporting their efforts around
reproducibile builds and providing SBOM/VEX/VDR information.
- We have set up and experimental platform to collect and aggregate
SBOMs and information about advisories for 3rd-party
dependencies. This is already populated with information from 257
artifacts across 13 Apache projects, which we plan to expand and use
to get more actionable information.
Stats for Nov 2023:
34 [license confusion]
24 [report/question relating to dependencies]
15 [support request/question not security notification]]
Security reports: 74 (last months: 76, 66, 65)
17 ['website or other infrastructure']
8 ['airflow']
3 ['apr', 'arrow'']
2 ['doris', 'drill', 'guacamole', 'httpd', 'mxnet', 'nifi',
'struts', 'superset', 'vince', 'zeppelin']
1 ['answer', 'beam', 'cloudstack', 'commons', 'flink',
'gobblin', 'hive', 'iceberg', 'james', 'kylin', 'logging',
'mina', 'ofbiz', 'openoffice', 'poi', 'ranger', 'shiro',
'spark', 'streampark', 'tiles', 'tvm', 'wicket',
'zookeeper']
In total, as of 1st December 2023, we're tracking 180 (last
months: 183, 172) open issues across 59 projects, median age 122
days (last months: 116, 104). 52 of those issues have CVE names
assigned.
22 (last month: 20) of these issues, across 8 projects, are older
than 365 days.
WHEREAS, the Apache Software Foundation (ASF) Board Commmittee, known as the Apache Security Team expects to better serve its purpose through the periodic update of its membership; and WHEREAS, the Apache Security Team is a Board-appointed committee whose membership must be approved by Board resolution; NOW, THEREFORE, BE IT RESOLVED, that the following ASF members be added as Apache Security Team members: Jarek Potiuk <potiuk@apache.org> Henri Yandell <bayard@apache.org> Special Order 7C, Update Apache Security Team Membership, was approved by Unanimous Vote of the directors present.
- A recently fixed and published vulnerability in Apache ActiveMQ,
CVE-2023-46604, has been getting some press attention due to it
being exploited including by ransomware. It has been added to the
CISA Known Exploited Vulnerabilities list.
- We participated in Community over Code NA, among other conversations
sharing the learnings from the formation of the Airflow security
team.
Stats for Oct 2023:
36 [license confusion]
12 [report/question relating to dependencies]
9 [support request/question not security notification]]
Security reports: 76 (last months: 66, 65, 88)
15 ['airflow']
14 ['website or other infrastructure']
4 ['httpd']
3 ['seatunnel', 'trafficserver']
2 ['ambari', 'commons', 'inlong', 'jspwiki', 'linkis',
'openoffice', 'shiro', 'superset']
1 ['activemq', 'allura', 'apisix', 'avro', 'axis', 'brpc',
'camel', 'doris', 'dubbo', 'flink', 'guacamole', 'hive',
'infra', 'iotdb', 'kafka', 'logging', 'oozie', 'solr',
'spark', 'tomcat', 'zookeeper']
In total, as of 1st November 2023, we're tracking 183 (last
months: 172, 181) open issues across 56 projects, median age 116
days (last months: 104, 108). 50 of those issues have CVE names
assigned.
20 (last month: 14) of these issues, across 8 projects, are older
than 365 days.
@Bertrand: follow up with security team about zeppelin roll call
- Some time ago Santuario worked with Zoho to diagnose an issue that
turned out to be incorrect use of an outdated xmlsec (Apache
Santuario) by Zoho. Zoho fixed their software and disclosed
CVE-2022-47966 for it. Unfortunately one of their on-prem customers
had not upgraded and was compromised. This was published as a CISA
CSA at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
This was picked up by some news outlets, but no wide coverage.
- CISA has added Apache RocketMQ vulnerability CVE-2023-33246 to their
Known Exploited Vulnerabilities (KEV) catalog.
- The HackerOne Internet Bug Bounty (IBB) programme have indicated
they are interested in onboarding additional Apache projects. We
are working with them on this.
Stats for Sept 2023:
58 [license confusion]
12 [report/question relating to dependencies]
11 [support request/question not security notification]]
Security reports: 66 (last months: 65, 88, 73)
15 ['website or other infrastructure']
14 ['airflow']
6 ['tomcat']
2 ['cxf', 'dubbo', 'fineract', 'httpd', 'ibb', 'ignite']
1 ['archiva', 'beam', 'commons', 'cwe', 'druid', 'geode',
'guacamole', 'hive', 'hop', 'kafka', 'linkis',
'mxnet', 'ofbiz', 'openoffice', 'pdfbox', 'santuario',
'stf', 'storm', 'zookeeper']
In total, as of 2nd October 2023, we're tracking 172 (last
months: 181, 171) open issues across 52 projects, median age 104
days (last months: 108, 106). 52 of those issues have CVE names
assigned.
14 (last month: 13) of these issues, across 7 projects, are older
than 365 days.
* CISA released their '2022 Top Routinely Exploited Vulnerabilities'
report, mentioning "malicous cyber actors continued to show high
interest in CVE-2021-44228 through the first half of
2022". (Log4Shell). The 'Additional Routinely Exploited
Vulnerabilities' table also lists some HTTP Server vulnerabilities
and a follow-up on Log4Shell:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
* Nucleus Security made a visual representation of vendors in CISA's
Known Exploited Vulnerabilities report. With 28 of the 989
vulnerabilities, Apache is visible on the chart:
https://nucleussec.com/cisa-kev-art/
Stats for Aug 2023:
25 [license confusion]
20 [support request/question not security notification]]
8 [report/question relating to dependencies]
Security reports: 65 (last months: 88, 73, 59, 73)
11 ['airflow', 'website or other infrastructure']
3 ['tomcat']
2 ['beam', 'commons', 'dolphinscheduler', 'hive', 'hop',
'kafka', 'linkis', 'nifi', 'pulsar', 'seatunnel', 'shiro',
'superset']
1 ['ant', 'couchdb', 'druid', 'dubbo', 'fineract', 'geode',
'groovy', 'hadoop', 'httpd', 'inlong', 'openoffice', 'pinot',
'ranger', 'spark', 'struts', 'trafficserver']
In total, as of 1st September 2023, we're tracking 181 (last
months: 171, 170) open issues across 54 projects, median age 108
days (last months: 106, 104). 46 of those issues have CVE names
assigned.
13 (last month: 12) of these issues, across 7 projects, are older
than 365 days.
@Bertrand: follow up with Mark about Zeppelin
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
- in the news: OpenMeetings vulnerabilities
https://thehackernews.com/2023/07/apache-openmeetings-web-conferencing.html
Stats for Jul 2023:
32 [license confusion]
9 [support request/question not security notification]
9 [report/question relating to dependencies]
Security reports: 88 (last months: 73, 59, 73)
34 ['website or other infrastructure']
6 ['rocketmq', 'superset']
4 ['doris']
3 ['apisix', 'inlong', 'openoffice']
2 ['airflow', 'dolphinscheduler', 'guacamole', 'ignite', 'tomcat']
1 ['ambari', 'avro', 'axis', 'commons', 'felix', 'flink', 'geode',
'helix', 'hive', 'johnzon', 'logging', 'pulsar', 'semgrep',
'solr', 'struts', 'tika', 'trafficserver', 'uima', 'zookeeper']
In total, as of 1st August 2023, we're tracking 171 (last months:
170, 165) open issues across 52 projects, median age 106 days
(last months: 104, 76). 40 of those issues have CVE names
assigned.
12 (last month: 11) of these issues, across 6 projects, are
older than 365 days.
@Sander: work with Brian around messaging this out
- We have engaged with the Trivy SBOM/security scanner project to
discuss how we can help reduce noise and make security reports more
accurate, possibly using VEX. This is challenging because it
requires the scanner to have access to not just a list, but the
graph of dependencies.
- The Airflow project are working on publishing SBOM information with
their binary artifacts.
- We helped publish https://apache.org/.well-known/security.txt
Stats for June 2023:
46 [license confusion]
22 [support request/question not security notification]
9 [report/question relating to dependencies]
Security reports: 73 (last months: 59, 73, 64)
18 ['website or other infrastructure']
5 ['tomcat']
4 ['airflow']
3 ['httpd', 'openoffice']
2 ['activemq', 'hadoop', 'nifi', 'superset', 'trafficserver', 'xalan']
1 ['accumulo', 'apisix', 'aries', 'baremaps', 'camel',
'carbondata', 'cloudstack', 'cordova', 'doris',
'felix', 'guacamole', 'iotdb', 'jackrabbit', 'jena',
'jspwiki', 'myfaces', 'netbeans', 'openmeetings',
'ozone', 'pekko', 'pig', 'pinot', 'rocketmq',
'roller', 'sling', 'storm', 'xerces', 'zeppelin']
In total, as of 3 July 2023, we're tracking 170 (last months: 165,
173) open issues across 57 projects, median age 104 days (last months:
76, 69). 54 of those issues have CVE names assigned.
11 (last month: 12) of these issues, across 5 projects, are
older than 365 days.
@Bertrand: keep an eye on Zeppelin's progress in security fixes
@Willem: also follow up on Zeppelin security
- An older Tomcat JMX issue, CVE-2016-8735, was selected to be included in the
CISA Known Exploited Vulnerabilities (KEV) catalog.
- We have engaged with the Trivy SBOM/security scanner project to discuss how
we can help reduce noise and make security reports more accurate, possibly
using VEX. This is challenging because it requires the scanner to build not
just a list, but the graph of dependencies.
- We are working with NIST/NVD to improve the consistency of CPE's, and have
stopped distinguishing between 'incubating' and 'regular' Apache projects in
the CPE, to avoid missing associations.
- The Airflow project has formed a security@airflow.apache.org group, which
hopefully will help clear their considerable backlog.
- We continue working with projects to publish 'security model' information on
their websites, this month PDFBox.
- We have started exploring creating a single place to find security contact
information and advisories for all Apache projects on
https://security.apache.org and also moved our blog there
Stats for May 2023:
22 [license confusion]
11 [support request/question not security notification]]
2 [report/question relating to dependencies]
Security reports: 59 (last months: 73, 64, 71)
8 ['superset']
6 ['vince', 'website or other infrastructure']
4 ['rocketmq']
3 ['airflow', 'inlong', 'tomcat']
2 ['commons', 'dolphinscheduler']
1 ['activemq', 'apisix', 'atlas', 'codeql', 'cpe',
'fedramp', 'flink', 'hadoop', 'hive', 'ibb', 'ignite', 'infra',
'nifi', 'openoffice', 'poi', 'ranger', 'shiro', 'solr', 'spark',
'storm', 'streampark', 'trafficserver']
In total, as of 1 June 2023, we're tracking 165 (last months: 173, 153)
open issues across 56 projects, median age 76 days
(last months: 69, 78). 46 of those issues have CVE names assigned.
12 (last month: 7) of these issues, across 6 projects, are older than 365
days.
@Bertrand: Follow up with Zeppelin roll call
- We have have started providing guidance for consistent software
identification using schemes such as Purl and SWIG, so vulnerability
information can more easily be shared by Apache itself as well as
third parties. Such consistent naming is essential to improve the
accuracy of SBOM and vulnerability scanning activities.
- We identified a PyPI package that was still managed outside of
Apache and was missing security updates.
- We are working with projects to publish 'security model' information
on their websites, which help users understand what to expect from
the project security-wise and security researchers on where to best
focus their efforts. In April such a section was published for
Apache Commons.
- We are working with the Airflow project to form a
security@airflow.apache.org group.
- We moved our blog to the newly-created https://security.apache.org
Stats for April 2023:
29 [license confusion]
21 [support request/question not security notification]
4 [report/question relating to dependencies]
Security reports: 73 (last months: 64, 71, 47)
11 ['airflow']
9 ['inlong']
7 ['superset']
6 ['website or other infrastructure']
4 ['dolphinscheduler']
2 ['apisix', 'commons', 'dubbo', 'httpd', 'pulsar', 'streampark', 'trafficserver']
1 ['lineaje', 'allura', 'brpc', 'doris', 'druid', 'fineract', 'guacamole', 'jackrabbit', 'jena', 'johnzon', 'linkis', 'logging', 'mxnet', 'netbeans', 'ofbiz', 'pinot', 'shenyu', 'streampipes', 'struts', 'tomcat', 'tvm', 'xerces']
In total, as of 1 May 2023, we're tracking 173 (last months: 153,
154) open issues across 62 projects, median age 69 days (last
months: 78, 91). 65 of those issues have CVE names assigned.
7 (last month: 8) of these issues, across 5 projects, are older
than 365 days.
- We continue to work to improve the accuracy of our disclosed
vulnerabilities by: working with NIST's NVD programme to align their
CWE classifications, reviewing and suggesting fixes to the CPE's
that were assigned to our CVE's by NIST's NVD programme, and
reviewing the artifact mappings assigned to them in the GitHub
Security Advisory (GHSA) database, and adding missing ones.
- We worked with the infrastructure, marketing & publicity and data
privacy teams to improve some security/privacy features on
www.apache.org
- CVE-2022-33891 (in Spark) will be added to the "CISA Known Exploited
Vulnerabilities (KEV) catalog".
Stats for March 2023:
43 [license confusion]
15 [support request/question not security notification]
7 [report/question relating to dependencies]
Security reports: 64 (last months: 71, 59, 62 )
9 ['airflow']
8 ['website or other infrastructure']
4 ['dubbo', 'linkis', 'tomcat']
3 ['pulsar']
2 ['archiva', 'commons', 'inlong', 'openmeetings', 'openoffice',
'shardingsphere', 'shiro', 'struts', 'zookeeper']
1 ['axis',
'cassandra', 'dolphinscheduler', 'doris', 'guacamole', 'ignite',
'jmeter', 'kylin', 'logging', 'mina', 'ozone', 'pdfbox', 'roller',
'superset']
In total, as of 3 April 2023, we're tracking 153 (last months:
154, 156) open issues across 53 projects, median age 78 days
(last months: 91, 83 days). 56 of those issues have CVE names
assigned.
8 (last month: 8) of these issues, across 5 projects, are older
than 365 days.
- We continue working with projects to publish 'security model' pages on
their websites, which help users understand what to expect from the
project security-wise and security researchers on where to best
focus their efforts. In February such a page was published for
Apache JMeter.
- We have been reviewing the CPE's that were assigned to our CVE's by
NIST's NVD programme, and suggesting fixes to some
inconsistencies/misclassifications we identified.
- We have done a similar review of the GitHub Security Advisory (GHSA)
database, but found no inaccuracies here yet.
- We have started taking inventory of how Apache scores in the OpenSSF
Scorecards project. We plan to improve these, both by providing
Apache projects insight and actionable suggestions, and by improving
the tool.
- We continue to work on https://cveprocess.apache.org, bringing our
fork under the Apache GitHub organisation and sharing and
documenting its deployment process.
- We worked with the infra team to improve some security features on
www.apache.org that are sometimes flagged by security researchers.
Stats for February 2023:
23 [support request/question not security notification]]
20 [license confusion]
4 [report/question relating to dependencies]
Security reports: 71 (last months: 59, 62, 84)
8 ['airflow']
7 ['website or other infrastructure']
6 ['tomcat']
4 ['logging']
3 ['commons', 'hadoop', 'httpd', 'openoffice']
2 ['hive', 'inlong', 'kafka', 'superset', 'trafficserver']
1 ['activemq', 'archiva', 'carbondata', 'cloudstack', 'couchdb', 'dolphinscheduler', 'druid', 'geode', 'guacamole', 'ibb', 'infra', 'iotdb', 'jspwiki', 'linkis', 'nifi', 'pdfbox', 'qpid', 'shenyu', 'shiro', 'sling', 'streampark', 'streampipes', 'submarine', 'zeppelin']
In total, as of 1 March 2023, we're tracking 154 (last months:
156, 160) open issues across 52 projects, median age 91
days (last months: 83, 59 days). 54 of those issues have
CVE names assigned.
8 (last month: 7) of these issues, across 6 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice:
- We have published the ASF Security Report for
2022. https://blogs.apache.org/security/entry/asf-security-report-2022
- We congratulate the APR project, who have released version 1.7.1,
among other things fixing the long-standing CVE-2017-12613.
- Airflow continues to attract attention by security researchers,
likely in part due their inclusion in a third part bug bounty
program by HackerOne. The PMC is responding to the reports at a
steady pace.
- We are working with projects to publish "security model" pages on
their websites, which help users understand what to expect from the
project security-wise, and help security researchers on where to
best focus their efforts. In January such a page was published for
Apache Maven.
Stats for January 2023:
46 [license confusion]
12 [support request/question not security notification]]
2 [report/question relating to dependencies]
Security reports: 59 (last months: 62, 84, 69)
12 ['airflow']
12 [website or other infrastructure]
4 ['tomcat']
2 ['inlong', 'iotdb', 'logging', 'shiro', 'superset']
1 ['ambari', 'commons', 'dolphinscheduler', 'druid',
'eventmesh', 'fineract', 'flink', 'httpd', 'infrastructure',
'james', 'kafka', 'kylin', 'linkis', 'maven', 'mxnet', 'nifi',
'openoffice', 'royale', 'sling', 'spark', 'zeppelin']
In total, as of 1 February 2023, we're tracking 156 (last months:
160, 154) open issues across 59 projects, median age 83 days
(last months: 59, 45 days). 46 of those issues have CVE names
assigned.
6 (last month: 6) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
- The https://cveprocess.apache.org/ tool was given a major overhaul
in order to support version 5 of the CVE JSON format. The security
team can now publish a CVE direct to cve.org instantly via the tool
and we'll work on rolling that out to projects over time.
- We have further explored SBOM and VEX, and have started an
experiment publishing (non)exploitability information in a VEX format
for the Solr project, https://github.com/apache/solr-site/pull/86
- We have improved the accuracy of the reports we send to projects
with open security issues, and made them more easily actionable.
Stats for December 2022:
27 [license confusion]
21 [support request/question not security notification]
5 [report/question relating to dependencies]
Security reports: 62 (last months: 84, 69, 55)
7 [web site/other infrastructure]
5 ['commons', 'sling']
4 ['tomcat']
3 ['airflow', 'jena', 'solr']
2 ['fineract', 'guacamole', 'hadoop', 'shiro']
1 ['ambari', 'any23', 'camel', 'cassandra', 'cloudstack', 'dolphinscheduler', 'druid', 'dubbo', 'helix', 'httpd', 'iotdb', 'jspwiki', 'karaf', 'mxnet', 'ofbiz', 'openoffice', 'ozone', 'pivot', 'santuario', 'servicecomb', 'streampark', 'submarine', 'wicket', 'xalan']
In total, as of 2 January 2023, we're tracking 160 (last months:
154, 137) open issues across 65 projects, median age 59 days (last months:
45, 53 days). 52 of those issues have CVE names assigned.
6 (last months: 9, 10) of these issues, across 5 projects, are older
than 365 days.
We have a higher number of open issues than usual and this is due to
high numbers of incoming queries. This is often bursty (and seasonal)
so is no concern, and we will continue to monitor it for trending.
Otherwise, continued work on incoming security issues, keeping
projects reminded of outstanding issues, and general oversight and
advice.
Stats for November 2022:
25 [license confusion]
18 [support request/question not security notification]
7 [report/question relating to dependencies]
Security reports: 84 (last months: 69, 55, 42, 61)
7 ['airflow']
5 ['commons']
4 ['sling']
3 ['cocoon', 'shardingsphere', 'superset']
2 ['derby', 'dolphinscheduler', 'doris', 'httpd', 'iotdb',
'james', 'linkis', 'nifi', 'streampark', 'trafficserver',
'xmlgraphics']
1 ['activemq', 'ambari', 'ant', 'archiva', 'brooklyn', 'camel',
'cxf', 'directory', 'druid', 'dubbo', 'freemarker', 'geronimo',
'griffin', 'hama', 'hc', 'hive', 'jena', 'jmeter', 'jspwiki', 'kafka',
'knox', 'manifoldcf', 'mina', 'netbeans', 'openmeetings', 'pulsar',
'ranger', 'reef', 'roller', 'servicemix', 'shiro', 'solr',
'subversion', 'tomcat', 'uima', 'zeppelin', 'zookeeper']
In total, as of 1 December 2022, we're tracking 154 (last month:
137) open issues across 59 projects, median age 45 days (last
month: 53 days). 55 of those issues have CVE names assigned.
9 (last month: 10) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Oct 2022:
26 [license confusion]
24 [support request/question not security notification]
Security reports: 69 (last months: 55, 42, 61)
14 [commons]
10 [airflow]
3 [tomcat], [superset], [nifi], [skywalking]
2 [openoffice], [kylin], [dolphinscheduler], [cxf], [archiva]
1 [zeppelin], [ws], [trafficserver], [tapestry], [spark],
[spamassassin], [sling], [shiro], [servicecomb], [sdap],
[netbeans], [maven], [logging], [linkis], [jmeter], [inlong],
[infrastructure], [httpd], [heron], [hadoop], [dubbo], [camel],
[age]
In total, as of 31st October 2022, we're tracking 137 (last month:
101) open issues across 49 projects, median age 53 days (last month:
78) days. 52 of those issues have CVE names assigned.
10 (last month: 11) of these issues, across 6 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Sep 2022:
26 [license confusion]
24 [support request/question not security notification]
Security reports: 55 (last months: 42, 61, 30)
5 [airflow]
3 [httpd], [openoffice], [shenyu], [tomcat], [xmlgraphics]
2 [archiva], [dolphinscheduler], [isis], [sling], [solr]
1 [ambari], [calcite], [cassandra], [doris], [druid], [hadoop],
[infrastructure], [inlong], [iotdb], [jmeter], [karaf], [linkis],
[maven], [netbeans], [nifi], [ofbiz], [shardingsphere], [skywalking],
[spamassassin], [spark], [streampark], [trafficcontrol],
[trafficserver], [ws], [zeppelin]
In total, as of 30th Sept 2022, we're tracking 101 (last month:
92) open issues across 45 projects, median age 78 (last month:
111) days. 52 of those issues have CVE names assigned.
11 (last month: 10) of these issues, across 7 projects, are older
than 365 days.
Over the last few months we have had liason with the Infra team who
created tooling to test for signature and other issues on project
downloads. The first run found issues in 61 projects. The latest run
was down to 28. The remaining issues are not major (signing public
keys missing from KEYS files) and we will manually followup with the
remaining projects over the coming months.
A flaw affecting configuration/script file used by a GitHub workflow
was reported in Apache Camel in April and fixed the next day and was
mentioned in the press this month. There was no CVE issued as there
was no security vulnerability in Camel itself and no action for end
users: https://www.theregister.com/2022/09/01/google_firebase_apache_camel_github/
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Aug 2022:
27 [license confusion]
17 [support request/question not security notification]
Security reports: 42 (last months: 61, 30, 44)
6 [airflow]
4 [site]
3 [httpd]
2 [flume], [logging], [openoffice], [shiro], [tomcat], [xmlgraphics]
1 [activemq], [ambari], [ant], [arrow], [avro], [cassandra],
[commons], [drill], [dubbo], [infrastructure], [maven], [openwhisk],
[pulsar], [security], [solr], [superset], [trafficserver]
In total, as of 1st Sept 2022, we're tracking 92 (last month:
104) open issues across 39 projects, median age 111 (last month:
107) days. 52 of those issues have CVE names assigned.
10 (last month: 11, some + and -) of these issues, across 7
projects, are older than 365 days.
In July the Apache Xalan Java project was retired due to the inability to
create a release to fix a reported security issue.
The CSRB report on the Log4j event was released
https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
We have a dedicated person starting in September to be the main
handler of incoming security issues.
Additionally, continued work on incoming security issues, keeping
projects reminded of outstanding issues, and general oversight and
advice.
Stats for Aug 2022:
30 [license confusion]
34 [support request/question not security notification]
Security reports: 61 (last months: 30, 44, 41)
13 [site]
4 [airflow], [dubbo], [httpd]
3 [commons], [shiro], [superset]
2 [cassandra], [kafka], [nifi], [spark], [struts]
1 [archiva], [avro], [axis], [calcite], [cloudstack], [flex],
[groovy], [hadoop], [jena], [logging], [maven], [milagro],
[oozie], [shenyu], [skywalking], [tomcat], [xerces]
In total, as of 1st August 2022, we're tracking 104 (last month:
100) open issues across 39 projects, median age 107 (last month:
101) days. 57 of those issues have CVE names assigned.
10 (last month: 11) of these issues, across 7 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Note: Only July 14th the CSRB released their report on the Log4j
vulnerability. Links to it, summary, and future discussion:
https://lists.apache.org/thread/5xtmqg98c5d1783t6gybqgjloklpvy92
Stats for Jul 2022:
27 [license confusion]
34 [support request/question not security notification]
Security reports: 30 (last months: 44, 41, 47)
5 [site]
3 [iotdb]
2 [commons], [geode], [nifi], [struts], [tomcat]
1 [ant], [apr], [drill], [flume], [hc], [httpd],
[ignite], [jspwiki], [tika], [trafficserver], [uima], [unomi]
In total, as of 1st July 2022, we're tracking 100 (last month:
111) open issues across 38 projects, median age 101 (last month:
73) days. 63 of those issues have CVE names assigned.
11 (last month: 9) of these issues, across 7 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for May 2022:
25 [license confusion]
29 [support request/question not security notification]
Security reports: 44 (last months: 41, 47, 67)
8 [zeppelin]
5 [httpd]
4 [site]
2 [commons], [dolphinscheduler], [hadoop], [jspwiki],
[spark], [tomcat]
1 [airflow], [apr], [atlas], [dubbo], [kafka], [openoffice],
[pulsar], [shardingsphere], [shiro], [sling], [struts],
[superset], [tika], [trafficcontrol], [trafficserver]
In total, as of 1st June 2022, we're tracking 111 (last month:
91) open issues across 40 projects, median age 73 (last month:
78) days. 61 of those issues have CVE names assigned.
9 (last month: 10) of these issues, across 6 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Opened a position for a Security Response Program Manager
https://blogs.apache.org/security/entry/position-available-security-response-program
Stats for Apr 2022:
18 [license confusion]
42 [support request/question not security notification]
Security reports: 41 (last months: 47, 67, 71)
9 [site]
6 [airflow]
3 [druid], [httpd]
2 [apisix]
1 [bookkeeper], [camel], [commons], [dolphinscheduler],
[hc], [ignite] [jena], [logging], [nifi], [ofbiz],
[openoffice], [shardingsphere], [shenyu], [spark],
[tapestry], [tika], [tomcat], [xalan]
In total, as of 1st May 2022, we're tracking 91 (last month:
93) open issues across 42 projects, median age 78 (last month:
61) days. 64 of those issues have CVE names assigned.
10 (last month: 11) of these issues, across 7 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
David Nalley, Sam Ruby, and Mark Cox attended more various federal
government meetings during March around the Log4Shell (Log4j) issue.
Gary Gregory (Logging PMC) was involved in one call. We ensure that we
have a minimum of two ASF members at such meetings.
Received a request from the European Commission (FOSSEP) that is more
of a more long term consultation around the supply chain/vuln issues
as highlighted by log4j. This has brought to the attention of our
members with a call to action to seek volunteers and is being
discussed on the normal public security list. It is possible that this
effort at some point results in advice to the ASF for policy/process
improvements. https://lists.apache.org/thread/3m8whx8fp05f57kv50d16j515rxfyqml
Stats for Mar 2022:
21 [license confusion]
33 [support request/question not security notification]
Security reports: 47 (last months: 67, 71, 83)
7 [httpd]
5 [airflow]
4 [site]
3 [jspwiki], [trafficserver]
2 [archiva], [dolphinscheduler], [nifi], [ofbiz],
[openoffice], [pulsar]
1 [activemq], [apisix], [commons], [directory], [druid],
[hive], [james], [kafka], [maven], [netbeans], [poi],
[solr], [tomcat]
In total, as of 4th April 2022, we're tracking 93 (last month:
83) open issues across 38 projects, median age 61 (last month:
50) days. 57 of those issues have CVE names assigned.
9 (last month: 10) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. The workload
is starting to drop after the the larger number of issues reported
during December-January.
David Nalley and Mark Cox attended a Cyber Safety Review Board (CSRB)
meeting in February and Mark Cox attended a CERT/CC meeting in February
both around the Log4Shell (Log4j) issue.
Stats for Feb 2022:
25 [license confusion]
39 [support request/question not security notification]
Security reports: 67 (last months: 71, 83, 44)
9 [site]
6 [tomcat]
4 [airflow], [trafficserver]
3 [dubbo], [httpd], [jspwiki]
2 [apisix], [apr], [dolphinscheduler], [flink],
[hadoop], [openoffice], [spark]
1 [any23], [axis], [commons], [couchdb], [druid],
[freemarker], [hive], [ignite], [livy], [logging],
[ofbiz], [pdfbox], [servicecomb], [shenyu], [shiro],
[sling], [storm], [superset], [tika], [xml],
[zeppelin]
In total, as of 1st Mar 2022, we're tracking 83 (last month:
83) open issues across 38 projects, median age 50 (last month:
55) days. 55 of those issues have CVE names assigned.
7 (last month: 5) of these issues, across 4 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. The workload
remains high as we work through the larger number of issues reported
during December-January.
We were invited, and attended, a forum to discuss open source software
security with the NSC at the White House in January 2022. A summary
was posted after the meeting to our public
security-discuss@community.apache.org list
https://lists.apache.org/thread/7bs1k791b5f0j4vzf0h6lwnv8doyjzck
We have been invited to a Senate hearing around log4j. Please see the
Presidents remarks for more information.
Stats for Jan 2022:
36 [license confusion]
52 [support request/question not security notification]
Security reports: 71 (last months: 83, 44, 36)
6 [site], [logging]
4 [pinot]
3 [httpd], [ofbiz], [shiro]
2 [activemq], [airflow], [commons], [jspwiki], [pulsar],
[shardingsphere], [solr], [zeppelin]
1 [apisix], [camel], [chemistry], [dolphinscheduler], [doris], [drill],
[druid], [dubbo], [felix], [flume], [geode], [hadoop], [infrastructure],
[james], [jmeter], [kafka], [karaf], [kylin], [maven], ["multiple"],
[openoffice], [rocketmq], [shenyu], [spark], [systemds], [tika],
[tomcat], [trafficcontrol], [trafficserver], [xmlgraphics]
In total, as of 1st Feb 2022, we're tracking 83 (last month:
107) open issues across 46 projects, median age 55 (last month:
62) days. 47 of those issues have CVE names assigned.
4 (last month: 5, although 1 of them is different) of these
issues, across 4 projects, are older than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
We were invited, and will attend, a forum to discuss open source
software security with the NSC at the White House in January
2022. Details are being discussed on our public
security-discuss@community.apache.org list.
A vulnerability in Log4J 2 (CVE-2021-44228, "Log4Shell"), allowed
remote attackers to achieve remote code execution in a default and
likely installation. The issue was widely exploited, starting the day
before a release with a fix was published. After the fixed release a
few subsequent Log4J vulnerabilities were also fixed, but none had the
same impact or default conditions. This event triggered a large number
of enquiries and vulnerability reports as can be seen by the metrics
below. The security team worked to help the Logging PMC on this issue
before, during, and after its disclosure.
Stats for Dec 2021:
32 [license confusion]
111 [support request/question not security notification]
Security reports: 83 (last months: 44, 36, 47)
14 [logging]
6 [httpd]
5 [commons]
4 [tomcat]
3 [cassandra], [infrastructure], [openoffice]
2 [dubbo], [hadoop], [nifi], [sling], [solr], [superset]
[zeppelin]
1 [activemq], [airflow], [apisix], [archiva], [beam],
[camel], [cayenne], [cocoon], [druid], [eventmesh],
[flink], [freemarker], [guacamole], [hive], [ignite],
[jackrabbit], [james], [jspwiki], [kafka], [maven],
[multiple], [ofbiz], [ozone], [pdfbox], [portals],
[shardingsphere], [shenyu], [skywalking], [spark],
[storm], [struts], [trafficcontrol], [unomi]
In total, as of 1st Jan 2022, we're tracking 107 (last month:
89) open issues across 47 projects, median age 62 (last month:
90) days. 49 of those issues have CVE names assigned.
6 (last month: 5) of these issues, across 3 projects, are older
than 365 days.
@Sander: follow up with PMCs about the role of the security team
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Nov 2021:
31 [license confusion]
12 [support request/question not security notification]
Security reports: 44 (last months: 36, 47, 48)
6 [site]
3 [shenyu]
2 [druid], [dubbo], [httpd], [shardingsphere],
[skywalking], [storm], [tomcat], [trafficcontrol]
1 [airflow], [apisix], [cassandra], [guacamole],
[heron], [jspwiki], [kafka], [kylin], [linkis],
[logging], [lucene], [mxnet], [nifi], [pdfbox],
[shiro], [solr], [subversion], [superset],
[trafficserver]
In total, as of 1st Dec 2021, we're tracking 89 (last month:
90) open issues across 42 projects, median age 90 (last month:
87) days. 46 of those issues have CVE names assigned.
5 (last month: 4) of these issues, across 3 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Oct 2021:
24 [license confusion]
23 [support request/question not security notification]
Security reports: 36 (last months: 47, 48, 42)
9 [site]
5 [httpd], [druid]
3 [superset]
2 [airflow], [dubbo], [solr]
1 [avro], [guacamole], [hadoop], [plc4x], [syncope],
[tomcat], [trafficcontrol], [trafficserver]
In total, as of 1st Nov 2021, we're tracking 90 (last month:
92) open issues across 40 projects, median age 87 (last month:
78) days. 57 of those issues have CVE names assigned.
4 (last month: 4) of these issues, across 3 projects, are older
than 365 days.
WHEREAS, the Apache Software Foundation (ASF) Board Commmittee, known as the Apache Security Team expects to better serve its purpose through the periodic update of its membership; and WHEREAS, the Apache Security Team is a Board-appointed committee whose membership must be approved by Board resolution; NOW, THEREFORE, BE IT RESOLVED, that the following ASF members be added as Apache Security Team members: PJ Fanning <fanningpj@apache.org> Special Order 7A, Update Apache Security Team Membership, was approved by Unanimous Vote of the directors present.
This month we gave a keynote talk about the security committee, the
US Executive Order on cybersecurity, and third party security projects
such as those under the OpenSSF.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Sep 2021:
27 [license confusion]
20 [support request/question not security notification]
Security reports: 47 (last months: 48, 42, 56)
5 [superset]
4 [site], [httpd]
3 [airflow]
2 [airavata], [shiro], [tomcat],
1 [activemq], [db], [druid], [dubbo], [echarts], [guacamole],
[hc], [heron], [infrastructure], [james], [jspwiki], [logging],
[milagro], [mina], [mxnet], [ofbiz], [openmeetings], [ozone],
[parquet], [pulsar], [shardingsphere], [storm], [struts],
[trafficserver], [zeppelin]
In total, as of 1st Oct 2021, we're tracking 92 (last month:
90) open issues across 44 projects, median age 78 (last month:
85) days. 65 of those issues have CVE names assigned.
4 (last month: 7) of these issues, across 3 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Aug 2021:
33 [license confusion]
26 [support request/question not security notification]
Security reports: 48 (last months: 42, 56, 45)
18 [site]
4 [ofbiz]
3 [airflow], [james]
2 [any23], [guacamole], [jspwiki], [knox]
1 [brooklyn], [dubbo], [flink], [httpd], [jena],
[karaf], [logging], [nifi], [ranger], [spamassassin],
[tomcat], [zeppelin]
In total, as of 1st Sep 2021, we're tracking 90 (last month:
82) open issues across 39 projects, median age 85 (last month:
73) days. 69 of those issues have CVE names assigned.
7 (last month: 7) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Jul 2021:
35 [license confusion]
12 [support request/question not security notification]
Security reports: 42 (last months: 56, 45, 41)
10 [site]
8 [airflow]
3 [dubbo]
2 [ofbiz], [portals], [spark], [tomcat]
1 [ant], [couchdb], [druid], [gobblin], [httpd],
[nifi], [ozone], [shenyu], [sling], [solr],
[spamassassin], [struts], [trafficcontrol],
[trafficserver]
In total, as of 1st Aug 2021, we're tracking 82 (last month:
85) open issues across 34 projects, median age 73 (last month:
54) days. 61 of those issues have CVE names assigned.
7 (last month: 6) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Jun 2021:
31 [license confusion]
26 [support request/question not security notification]
Security reports: 56 (last months: 45, 41, 27, 46)
16 [site]
11 [dubbo]
3 [airflow], [commons], [httpd]
2 [ozone], [superset], [trafficserver]
1 [apr], [directory], [flink], [geode], [hadoop],
[infrastructure], [kafka], [openoffice], [roller],
[shiro], [solr], [storm], [tinkerpop], [tomcat]
In total, as of 1st Jul 2021, we're tracking 85 (last month:
77) open issues across 35 projects, median age 54 (last month:
60) days. 45 of those issues have CVE names assigned.
6 (last month: 8) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for May 2021:
32 [license confusion]
19 [support request/question not security notification]
Security reports: 45 (last months: 41, 27, 46, 46)
16 [site]
4 [trafficserver]
3 [airflow], [hadoop], [solr]
1 [httpd], [openoffice], [tomcat]
[commons], [dubbo], [hbase], [infrastructure], [jena],
[kylin], [nifi], [nuttx], [ofbiz], [roller], [skywalking],
[superset], [tapestry]
In total, as of 1st Jun 2021, we're tracking 77 (last month: 76)
open issues across 36 projects, median age 60 (last month: 83)
days. 54 of those issues have CVE names assigned.
6 (last month: 9) issues, across 4 projects, are older than 365
days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Apr 2021:
28 [license confusion]
21 [support request/question not security notification]
Security reports: 41 (last months: 27, 46, 46)
12 [site]
5 [httpd]
3 [pdfbox]
2 [tomcat], [trafficserver]
1 [apisix], [cxf], [druid], [dubbo], [hadoop], [hive],
[ignite], [juddi], [kylin], [ofbiz], [openoffice],
[shiro], [solr], [tapestry], [tvm], [xerces]
In total, as of 1st May 2021, we're tracking 76 (last month:
80) open issues across 37 projects, median age 83 (last month:
56) days. 51 of those issues have CVE names assigned.
9 (last month: 9) of these issues, across 8 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Mar 2021:
24 [license confusion]
13 [support request/question not security notification]
Security reports: 27 (last months: 46, 46, 45)
4 [solr]
3 [trafficserver]
2 [commons]
1 [airflow], [apisix], [archiva], [axis], [druid], [dubbo]
[geode], [groovy], [hadoop], [httpd], [impala],
[infrastructure], [ofbiz], [pdfbox], [shiro], [subversion],
[superset], [tapestry], [velocity]
In total, as of 1st Apr 2021, we're tracking 80 (last month:
76) open issues across 40 projects, median age 56 (last month:
62) days. 49 of those issues have CVE names assigned.
9 (last month: 9) of these issues, across 8 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
We recently started spending more time on stalled issues to get them
moving again, and this has led to a some of the old issues being
completed. Unfortunately we also have had to escalate issues to a
handful of unresponsive PMCs, both directly and by using board
roll-calls. Some of this escalation has worked, but we continue to
stay on top of the rest until resolution.
Stats for Feb 2021:
25 [license confusion]
32 [support request/question not security notification]
Security reports: 46 (last months: 46, 45, 45)
10 [site]
7 [druid]
3 [zeppelin]
2 [airflow], [commons], [infrastructure], [lucene], [pdfbox],
[shiro], [superset]
1 [dolphinscheduler], [dubbo], [hadoop], [httpd], [openoffice],
[shardingsphere], [struts], [tapestry], [tika], [tomcat],
[trafficserver], [unomi]
In total, as of 1st Mar 2021, we're tracking 76 (last month:
67) open issues across 44 projects, median age 62 (last month:
61) days. 48 of those issues have CVE names assigned.
10 (last month: 9) of these issues, across 8 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
This month we sent requests for information to 23 projects which had
old or stale outstanding security issues either that needed triage
completing or releases making. Most projects responded by the
deadline with an updated status report and a number of issues were
closed/completed (some included in the stats below, some after). We
still have some projects that are not dealing with their security
issues appropriately and we have continued to escalate these to the
projects themselves and the board where needed.
Where projects are unresponsive it reflects badly on the ASF and can
lead to users being exposed when reporters choose to go public without
a co-ordinated fix. We worked with Press on the response to this
story:
https://www.bleepingcomputer.com/news/security/undisclosed-apache-velocity-xss-vulnerability-impacts-gov-sites/
We published the 2020 Security Report https://s.apache.org/SecurityReport2020
Stats for Jan 2021:
26 [license confusion]
12 [support request/question not security notification]
Security reports: 46 (last months: 45, 45, 41)
15 [site]
3 [tomcat]
2 [airflow], [flink]
1 [commons], [cxf], [druid], [gobblin], [httpd], [hudi],
[jmeter], [maven], [mina], [myfaces], [netty], [nutch],
[nuttx], [ofbiz], [openmeetings], [openoffice], [poi],
[pulsar], [ranger], [shiro], [skywalking], [struts],
[trafficserver], [xerces]
In total, as of 1st Feb 2021, we're tracking 67 (last month:
68) open issues across 42 projects, median age 61 (last month:
80) days. 38 of those issues have CVE names assigned.
9 (last month: 7) of these issues, across 5 projects, are older
than 365 days. Some require esclation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
In December the ASF became the first organisation to get a live CVE
name using the new CVE project automation API. Instead of the security
team holding a pool of names requested in advance we now allocate them
on demand, with the service taking care of emails to the PMC and other
previously manual parts of the process. We expect more automation
available over the coming year allowing us to streamline the CVE
process for projects even further.
Special thanks go to Accumulo, Airflow, CXF, NuttX, Tomcat, and Unomi
who all used the new portal to handle vulnerabilities.
Stats for Dec 2020:
18 [license confusion]
11 [support request/question not security notification]
Security reports: 45 (last months: 45, 41, 32)
9 [site]
4 [servicecomb]
3 [httpd], [shardingsphere], [struts]
2 [activemq], [dubbo], [hadoop], [hbase], [openoffice], [tomcat]
1 [accumulo], [cordova], [flink], [gobblin], [infrastructure],
[kafka], [kylin], [maven], [myfaces], [shiro], [skywalking],
[wicket]
In total, as of 30th December 2020, we're tracking 68 (last
month: 64) open issues across 33 projects, median age 80 (last
month: 90) days. 29 of those issues have CVE names assigned.
7 (unchanged since last month) of these issues, across 4
projects, are older than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
A couple of projects used our new CVE process web system for handling
their issues and we continue to work on it, waiting for Mitre to roll
out the production automation APIs.
Stats for Nov 2020:
21 [license confusion]
11 [support request/question not security notification]
Security reports: 45 (last months: 41, 32, 24, 38)
14 [site]
3 [httpd], [struts]
2 [hive], [maven]
1 [activemq], [airflow], [axis], [cxf], [flink], [hadoop], [hama],
[kylin], [mina], [netbeans], [nuttx], [ozone], [pulsar],
[shardingsphere], [shiro], [skywalking], [subversion], [tomcat],
[trafficcontrol], [trafficserver], [unomi]
In total, as of 1st December 2020, we're tracking 64 (last month:
69) open issues across 34 projects, median age 90 (last month:
82) days. 33 of those issues have CVE names assigned.
7 (last month: 8) of these issues, across 4 projects, are older
than 365 days. None require escalation.
Currently, each PMC is responsible for writing up their own CVE
entries and submitting them to Mitre. This leads to many delays in the
CVE database being updated with Apache issues as entries are often
rejected as the legacy format causes issues. We are working on a tool,
hosted on an infra-managed VM, that will provide PMCs dealing with
security issues a way to edit, validate, and submit their entries to
Mitre. We are leveraging upcoming changes to CVE automation that will
also allow us to request and allocate CVE names to projects
on-the-fly. It may allow in the future us to delegate the entire
workflow to the PMCs that handle a lot of issues; with them able to
self-service request a CVE through to making it live in the CVE list,
but for others we can continue to help them through the process, this
will just make it simpler.
Also, continued work on incoming security issues, keeping projects
reminded of outstanding issues, and general oversight and advice.
Stats for Oct 2020:
24 [license confusion]
21 [support request/question not security notification]
Security reports: 41 (last months: 32, 24, 38, 46)
11 [site]
2 [apr], [fineract], [lucene], [openoffice], [sling],
[trafficserver]
1 [activemq], [airflow], [ambari], [cassandra],
[couchdb], [druid], [groovy], [hama], [hive], [nifi],
[oozie], [poi], [shiro], [tomcat], [tvm], [velocity],
[xerces], [xmlgraphics]
In total, as of 1st November 2020, we're tracking 69 (last month:
69) open issues across 36 projects, median age 82 (last month:
89) days. 30 of those issues have CVE names assigned.
8 (last month: 9) of these issues, across 4 projects, are older
than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Sep 2020:
27 [license confusion]
14 [support request/question not security notification]
Security reports: 32 (last months: 24, 38, 46, 41)
7 [site]
3 [httpd], [superset]
2 [activemq], [dubbo], [tomcat]
1 [airflow], [cxf], [druid], [hc], [impala],
[infrastructure], [logging], [lucene], [openmeetings],
[poi], [pulsar], [struts], [trafficserver]
In total, as of 1st October 2020, we're tracking 69 (last month:
68) open issues across 37 projects, median age 89 (last month:
67) days. 33 of those issues have CVE names assigned.
9 (last month: 8) of these issues, across 6 projects, are older
than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded of outstanding issues, and general oversight and advice. Stats for Aug 2020: 16 [license confusion] 24 [support request/question not security notification] Security reports: 24 (last months: 38, 46, 41, 36) 6 [site] 4 [ofbiz] 3 [airflow], [dubbo] 2 [openoffice] 1 [activemq], [apisix], [calcite], [cassandra], [nifi], [shiro] In total, as of 1st September 2020, we're tracking 68 (last month: 84) open issues across 38 projects, median age 67 (last month: 57) days. 41 of those issues have CVE names assigned. 8 (last month: 9) of these issues, across 6 projects, are older than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Jul 2020:
22 [license confusion]
25 [support request/question not security notification]
Security reports: 38 (last months: 46, 41, 36, 43)
5 [site]
2 [dubbo], [httpd], [kylin], [openoffice], [shiro],
[tapestry], [tomcat]
1 [activemq], [apisix], [commons], [cordova], [couchdb],
[hive], [infrastructure], [jspwiki], [livy], [mina],
[nifi], [ofbiz], [pulsar], [shardingsphere], [sling],
[spark], [tomee], [vcl], [zeppelin]
In total, as of 3rd August 2020, we're tracking 84 (last month:
73) open issues across 45 projects, median age 57 (last month:
61) days. 49 of those issues have CVE names assigned.
9 (last month: 9) of these issues, across 7 projects, are older
than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Jun 2020:
21 [license confusion]
21 [support request/question not security notification]
Security reports: 46 (last months: 41, 36, 43, 23)
6 [airflow]
4 [site]
3 [guacamole], [httpd], [ofbiz], [tomcat]
2 [ambari], [dubbo], [lucene], [struts]
1 [activemq], [ant], [brooklyn], [cocoon], [dolphinscheduler],
[flink], [ignite], [jackrabbit],
[karaf], [kylin], [netbeans], [opennlp], [roller], [skywalking]
[unomi], [xmlgraphics]
In total, as of 1st July 2020, we're tracking 73 (last month:
74) open issues across 36 projects, median age 61 (last month:
53) days. 45 of those issues have CVE names assigned.
9 (last month: 9) of these issues, across 6 projects, are older
than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for May 2020:
22 [license confusion]
21 [support request/question not security notification]
Security reports: 41 (last months: 36, 43, 23, 40)
3 [airflow]
2 [camel], [cloudstack], [hive], [httpd], [infrastructure],
[tomcat], [trafficserver]
1 [activemq], [archiva], [atlas], [cordova], [cxf], [hc],
[jackrabbit], [kylin], [ofbiz], [openoffice], [opennlp],
[samza], [shiro], [synapse], [syncope], [tomee],
[trafficcontrol], [unomi], [usergrid], [vxquery],
[wicket], [xmlgraphics], [zeppelin], [zookeeper]
In total, as of 1st June 2020, we're tracking 74 (last month:
71) open issues across 44 projects, median age 53 (last month:
65) days. 37 of those issues have CVE names assigned.
9 (last month: 8) of these issues, across 6 projects, are older
than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for Apr 2020:
18 [license confusion]
22 [support request/question not security notification]
Security reports: 36 (last months: 43, 23, 40, 23)
5 [site]
4 [nifi]
3 [httpd]
2 [tomcat],[trafficserver]
1 [airflow], [camel], [cassandra], [cordova], [couchdb],
[cxf], [dolphinscheduler], [freemarker], [guacamole],
[hadoop], [hc], [ignite], [kafka], [logging], [ofbiz],
[sentry], [shiro], [spark], [syncope], [tika]
In total, as of 1st May 2020, we're tracking 71 (last month:
58) open issues across 43 projects, median age 65 (last month:
61) days. 39 of those issues have CVE names assigned.
8 (last month: 8) of these issues, across 6 projects, are older
than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
In the stats below "site" refers to things where people report issues
that are not specific to a projects code, for example most of these are
reports of missing DMARC records, or lack of clickjacking protection,
or reports of open directory listings. Almost none of these are actual
real issues, those that are get escalated to infra.
Stats for Mar 2020:
29 [license confusion]
13 [support request/question not security notification]
Security reports: 43 (last months: 23, 40, 23, 31)
13 [site]
2 [flink], [lucene], [shiro], [skywalking], [tomcat]
1 [ambari], [atlas], [camel], [couchdb], [cxf], [druid]
[freemarker], [guacamole], [hadoop], [hc], [heron],
[ignite], [jena], [kylin], [openmeetings], [syncope],
[thrift], [velocity], [xerces], [zeppelin]
In total, as of 1st April 2020, we're tracking 58 (last month:
52) open issues across 35 projects, median age 61 (last month:
81) days. 33 of those issues have CVE names assigned.
8 (last month: 6) of these issues, across 6 projects, are older
than 365 days. None require board escalation.
Continued work on incoming security issues, keeping projects reminded of outstanding issues, and general oversight and advice. This month saw an issue in Tomcat CVE-2020-1938 which gained press interest when it was given branding and a name and was disclosed by a third-party co-ordination centre before Tomcat released an advisory (although after the issue was fixed in new releases of Tomcat). Although serious if exploited, it only affected Tomcat installations which exposed an unprotected AJP Connector to untrusted networks (which is already not a good thing to do even without this issue). That limits the number of affected installations. Stats for Feb 2020: 20 [license confusion] 26 [support request/question not security notification] Security reports: 23 (last months: 40, 23, 31, 29) 6 [dubbo] 5 [site] 2 [tika] 1 [asterixdb], [cloudstack], [guacamole], [httpd], [iotdb], 1 [logging], [openwhisk], [sling], [spamassassin], [tomcat] In total, as of 1st March 2020, we're tracking 52 (last month: 53) open issues across 30 projects, median age 81 (last month: 69) days. 37 of those issues have CVE names assigned. 6 (last month: 4) of these issues, across 3 projects, are older than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
This month we published a look at Security for 2019
https://s.apache.org/security2019
Stats for Jan 2020:
16 [license confusion]
12 [support request/question not security notification]
Security reports: 40 (last months: 23, 31, 29, 28)
3 [httpd], [nifi], [tomcat]
2 [hadoop], [spamassassin], [trafficserver]
1 [activemq], [ant], [aries], [beam], [brooklyn],
[cayenne], [cloudstack], [commons], [hc], [hive],
[infrastructure], [jackrabbit], [jspwiki], [kafka],
[kylin], [manifoldcf], [nuttx], [ofbiz], [olingo],
[openoffice], [portals], [shardingsphere], [shiro],
[superset], [zookeeper]
In total, as of 3 February 2020, we're tracking 53 (last month:
49) open issues across 32 projects, median age 69 (last month:
116) days. 36 of those issues have CVE names assigned.
4 (last month: 4) of these issues, across 3 projects, are older
than 365 days. None require escalation.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. Lots of effort
to close out old stale issues continues.
Stats for December 2019:
9 [license confusion]
16 [support request/question not security notification]
Security reports: 23 (last months: 31, 29, 28, 46)
5 [site]
3 [httpd]
2 [tomcat]
1 [activemq], [camel], [commons], [cxf], [hadoop], [kylin],
[logging], [maven], [rocketmq], [spark], [struts],
[trafficserver], [xerces]
In total, as of 6 January 2020, we're tracking 49 (last month:
60) open issues across 26 projects, median age 116 (last month:
119) days. 30 of those issues have CVE names assigned.
4 (last month: 7) of these issues, across 3 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for November 2019:
15 [license confusion]
12 [support request/question not security notification]
Security reports: 31 (last months: 29, 28, 46, 26)
3 [cxf], [lucene], [site]
2 [httpd], [olingo], [struts]
1 [cordova], [directory], [dubbo], [flink], [hive],
[infrastructure], [kudu], [nifi], [shiro], [spamassassin],
[syncope], [tomcat], [trafficcontrol], [ws], [xerces],
[xmlgraphics]
In total, as of 1st December 2019, we're tracking 60 (last month:
74) open issues across 32 projects, median age 119 (last month:
88) days. 36 of those issues have CVE names assigned.
7 (last month: 7) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for October 2019:
3 [license confusion]
14 [support request/question not security notification]
Security reports: 29 (last months: 28, 46, 26, 23)
5 [site]
4 [httpd], [tomcat]
3 [guacamole]
2 [cloudstack], [netbeans]
1 [airflow], [deltaspike], [dubbo], [hadoop], [infrastructure],
[jmeter], [ofbiz], [struts], [xmlgraphics]
In total, as of 31st Oct 2019, we're tracking 74 (last month:
81) open issues across 37 projects, median age 88 (last month:
75) days. 37 of those issues have CVE names assigned.
7 (last month: 8) of these issues, across 5 projects, are older
than 365 days.
@Danny: speak with Mark about how to handle Ambari and Xerces
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for September 2019:
13 [license confusion]
10 [support request/question not security notification]
Security reports: 28 (last months: 46, 26, 23, 44, 29)
4 [site]
3 [hadoop]
2 [airflow], [arrow], [jspwiki], [openoffice]
1 [ambari], [camel], [cxf], [httpd], [infrastructure],
[jmeter], [lucene], [nifi], [poi], [sentry], [shiro],
[trafficserver], [zeppelin]
In total, as of 30th September 2019, we're tracking 81 (last month:
82) open issues across 38 projects, median age 75 (last month:
88) days. 40 of those issues have CVE names assigned.
7 (last month: 8) of these issues, across 4 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for August 2019:
15 [license confusion]
14 [support request/question not security notification]
Security reports: 46 (last months: 26, 23, 44, 29)
6 [openoffice],[site]
5 [zeppelin]
2 [airflow],[hadoop],[infrastructure],[kafka],[lucene],
[trafficserver],[zookeeper]
1 [ambari],[apr],[cloudstack],[commons],[dubbo],[guacamole],
[jspwiki],[nifi],[ofbiz],[royale],[santuario],[subversion],
[tomcat],[trafficcontrol]
In total, as of 10th September 2019, we're tracking 82 (last month:
66) open issues across 36 projects, median age 88 (last month:
111) days. 47 of those issues have CVE names assigned.
8 (last month: 7) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded of outstanding issues, and general oversight and advice. Some of the security team will be presents at ApacheCon NA and running a BoF https://www.apachecon.com/acna19/s/#/scheduledEvent/1337 Stats for July 2019: 12 [license confusion] 14 [support request/question not security notification] Security reports: 26 (last months: 23, 44, 29, 39) 7 [ambari] 4 [httpd] 3 [infrastructure], [site] 2 [tika], [tomcat] 1 [geode], [hadoop], [ranger], [spark], [thrift] In total, as of 1st August 2019, we're tracking 66 (last month: 64) open issues across 33 projects, median age 111 (last month: 120) days. 46 of those issues have CVE names assigned. 7 (last month: 8) of these issues, across 4 projects, are older than 365 days.
WHEREAS, the Apache Software Foundation (ASF) Board Commmittee, known as the Apache Security Team expects to better serve its purpose through the periodic update of its membership; and WHEREAS, the Apache Security Team is a Board-appointed committee whose membership must be approved by Board resolution; NOW, THEREFORE, BE IT RESOLVED, that the following ASF members be added as Apache Security Team members: Yann Ylavic <ylavic@apache.org> Dirk-Willem van Gulik <dirkx@apache.org> Special Order 7A, Update Apache Security Team Membership, was approved by Unanimous Vote of the directors present.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. We have a
proposed resolution for this board meeting to expand the security team
to include Yann Ylavic and Dirk-Willem van Gulik, both of whom have
been on the security alias and doing security related work for some
time.
This month included the security disclosure by a researcher who found
several Apache projects used build scripts that would download
dependencies over http rather than https. Prior to public disclosure,
we worked to address these examples and also contacted all Apache
projects to have them check build scripts and change to downloading
dependencies securely. As a result, a number of Apache projects made
changes to their dependencies, some declared they were not affected,
and a few are in the process of being updated.
Stats for June 2019:
12 [license confusion]
10 [support request/question not security notification]
Security reports: 23 (last months: 44, 29, 39, 35)
3 [spark], [web site related]
2 [httpd], [infrastructure], [lucene], [trafficcontrol]
1 [activemq], [allura], [axis], [beanutils], [commons],
[nifi], [openoffice], [struts], [zookeeper]
In total, as of 1st July 2019, we're tracking 64 (last month:
73) open issues across 36 projects, median age 120 (last month:
91) days. 45 of those issues have CVE names assigned.
8 (last month: 8) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. Had a discussion
with Mitre over the slow response to issues and how ASF operates in
handling security issues with a view to better supporting us in the CVE
process.
Stats for May 2019:
11 [license confusion]
12 [support request/question not security notification]
Security reports: 44 (last months: 29, 39, 35)
6 [web site related]
4 [httpd]
3 [sling], [tomcat]
2 [guacamole], [hadoop], [infrastructure], [nifi], [zeppelin]
1 [airflow], [archiva], [cassandra], [drill], [felix], [hbase],
[hive], [impala], [jetspeed], [jspwiki], [mina], [openoffice],
[shiro], [skywalking], [spark], [struts], [tika],
[trafficserver],
In total, as of 3rd June 2019, we're tracking 73 (last month:
65) open issues across 37 projects, median age 91 (last month:
82) days. 44 of those issues have CVE names assigned.
8 (last month: 8) of these issues, across 5 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. There are
continuing issues with Mitre taking several weeks to update the CVE
database for some issues.
The Zeppelin project continued to not deal with outstanding security
issues despite numerous contact attempts and even a board escalation.
The issues had already been fixed in their code base for some time,
but the process to notify users via a security advisory and publish
the CVE names had not been completed. After a final warning, the
Security Team Project therefore took the unfortunate step of
publishing the details on their behalf:
https://www.openwall.com/lists/oss-security/2019/04/23/1
Stats for April 2019:
8 [license confusion]
15 [support request/question not security notification]
Security reports: 29 (last months: 39, 35, 38)
6 [httpd]
4 [lucene]
3 [site]
2 [pdfbox], [shiro], [tomcat]
1 [atlas], [commons], [fineract], [hadoop], [hive],
[jspwiki], [kafka], [ofbiz], [struts],
[trafficserver]
In total, as of 1st May 2019, we're tracking 65 (last month:
84) open issues across 35 projects, median age 82 (last month:
66) days. 44 of those issues have CVE names assigned.
8 (last month: 12) of these issues, across 5 projects, are older
than 365 days.
Mark Thomas says "This is a reminder that, as a board committee, the security committee needs to have a serving board member as a member of that committee. As I am no longer a board member, I believe the board needs to appoint a board member to the committee." We need to resolve this ASAP. Craig Russell was appointed to the Security Team, by General Consent.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. There are
continuing issues with Mitre taking up to 2 weeks to update the CVE
database.
Stats for March 2019:
15 [license confusion]
12 [support request/question not security notification]
Security reports: 39 (last months: 35, 38, 16)
15 [hack or license confusion]
12 [support request not a security issue]
7 [tomcat]
4 [infrastructure]
3 [httpd], [jspwiki]
2 [roller], [struts]
1 [airflow], [commons], [cxf], [dubbo], [hc],
[kafka], [karaf], [libcloud], [lucene], [mina],
[poi], [qpid], [shiro], [sling], [spamassassin],
[spark], [tapestry], [zeppelin], [zookeeper]
In total, as of 1st April 2019, we're tracking 84 (last month:
85) open issues across 43 projects, median age 66 (last month:
77) days. 57 of those issues have CVE names assigned.
12 (last month: 7) of these issues, across 6 projects, are older
than 365 days.
Craig Russell was appointed to the Security Team, by General Consent.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. There are
continuing issues with Mitre taking up to 2 weeks to update the CVE
database.
Stats for February 2019:
8 [license confusion]
21 [support request/question not security notification]
Security reports: 35 (last months: 38, 16, 34)
3 [httpd], [incubator/superset]
2 [activemq], [airflow], [hadoop], [openoffice], [site], [thrift]
1 [archiva], [commons], [cordova], [groovy], [hbase], [hc],
[incubator/ponymail], [infrastructure], [jspwiki], [mesos],
[nifi], [roller], [storm], [struts], [subversion], [tomcat],
[zookeeper]
In total, as of 1st March 2019, we're tracking 85 (last month:
78) open issues across 43 projects, median age 77 (last month:
75) days. 61 of those issues have CVE names assigned.
7 (last month: 8) of these issues, across 6 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice. During
January we saw some delays with Mitre updating their site with our CVE
submissions to them, they expect this to resolve soon.
Stats for January 2019:
15 [license confusion]
9 [support request/question not security notification]
Security reports: 38 (last months: 16, 34, 28)
6 [httpd], [site]
3 [ambari]
2 [kafka], [struts], [tomcat]
1 [activemq], [axis], [camel], [cassandra], [couchdb],
[fineract], [guacamole], [james], [karaf], [lucene],
[mifos], [netbeans], [ofbiz], [openoffice], [qpid],
[sling], [zookeeper]
In total, as of 1st February 2019, we're tracking 78 (last month:
81) open issues across 39 projects, median age 75 (last month:
109) days. 49 of those issues have CVE names assigned.
8 (last month: 13) of these issues, across 6 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for December 2018:
13 [license confusion]
6 [support request/question not security notification]
Security reports: 16 (last months: 34, 28, 32)
3 [fineract]
2 [zeppelin]
1 [ambari], [camel], [hadoop], [hc], [incubator/superset],
[jspwiki], [myfaces], [roller], [superset], [site], [tapestry]
In total, as of 1st January 2019, we're tracking 81 (last month:
93) open issues across 37 projects, median age 109 (last month:
78) days. 54 of those issues have CVE names assigned.
13 (last month: 7) of these issues, across 6 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for November 2018:
5 [license confusion]
12 [support request/question not security notification]
Security reports: 34 (last months: 28, 32, 37)
10 [ofbiz]
2 [lucene], [struts]
1 [activemq], [ambari], [commons], [guacamole], [hadoop],
[hc], [httpd], [ignite], [incubator/netbeans], [infrastructure],
[kafka], [nifi], [openoffice], [pdfbox], [rocketmq], [roller],
[spark], [tika], [tomcat], [zeppelin]
In total, as of 1st December, we're tracking 93 (last month: 90)
open issues across 42 projects, median age 78 (last month: 73)
days. 53 of those issues have CVE names assigned.
7 (last month: 5) of these issues, across 6 projects, are older
than 365 days.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for October 2018:
11 [license confusion]
21 [support request/question not security notification]
Security reports: 28 (last months: 32, 37, 32)
3 [hadoop], [ofbiz], [syncope]
2 [httpd], [lucene], [openoffice], [spark]
1 [hc], [nifi], [nutch], [oozie], [shindig], [shiro],
[spamassassin], [subversion], [tapestry], [tomcat], [site]
In total, as of 1st November, we're tracking 90 (last month: 87)
open issues across 42 projects, median age 73 (last month: 86)
days. 57 of those issues have CVE names assigned.
5 (last month: 4) of these issues, across 4 projects, are older
than 365 days.
@Phil: draft strongly worded message on board list to PMCs that have outstanding security issues
{quote}I would like to propose that we start adding lagging
issues (over 365 days?) to the stats{quote}?
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Clean-up focus is on issues that are more than 90 days old where no
CVE name is yet assigned (therefore still in "investigation" state)
has completed; from 17 issues in August to 2.
Stats for September 2018:
9 [license confusion]
15 [support request/question not security notification]
Security reports: 32 (last months: 37, 32, 39)
6 [ofbiz]
3 [cloudstack]
2 [httpd], [impala], [jmeter]
1 [ignite], [incubator/airflow], [incubator/heron], [kafka], [mesos],
[myfaces], [openoffice], [pdfbox], [poi], [portals], [shiro],
[sling], [spark], [struts], [tapestry], [tika], [tomcat]
In total, as of 1st September, we're tracking 87 (last month: 89)
open issues across 45 projects, median age 86 (last month: 113)
days. 57 of those issues have CVE names assigned.
4 (last month: 8) of these issues, across 4 projects, are older
than 365 days. We expect to close at least 1 of them this month.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Current clean-up focus is on issues that are more than 90 days old
where no CVE name is yet assigned (therefore still in "investigation"
state). There are currently 10 of these across 8 projects.
Stats for August 2018:
13 [license confusion]
24 [support request/question not security notification]
Security reports: 37 (last months: 32, 39, 55)
3 [couchdb], [httpd], [spamassassin]
2 [commons], [nifi], [struts], [tomcat], [trafficserver]
1 [accumulo], [activemq], [allura], [fineract], [hive],
[karaf], [netbeans], [ofbiz], [openoffice], [qpid],
[ranger], [shiro], [spark], [storm], [subversion],
[thrift], [zookeeper], [site]
In total, as of 1st September, we're tracking 89 (last month: 95)
open issues across 42 projects, median age 113 (last month: 112)
days. 56 of those issues have CVE names assigned.
8 (last month: 9) of these issues, across 7 projects, are older
than 365 days. We continue to work with these projects to get
these closed out.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
We have made a change in the way we handle the automated github
dependency security reports. We will continue to forward them to the
projects but we no longer track and chase them or include them in the
stats. This is because they were a huge time commitment for little
benefit (none of the issues have led to needed security releases
needed for projects).
Stats for July 2018:
16 [license confusion]
12 [support request/question not security notification]
Security reports: 32 (last months: 39, 55, 54)
8 [httpd]
3 [tomcat], [infrastructure]
2 [spark], [tika]
1 [ambari], [avro], [axis], [camel], [cayenne], [commons],
[cordova], [couchdb], [datafu], [db], [dubbo], [hadoop],
[hive], [jmeter], [logging], [openoffice], [ranger],
[trafficserver]
In total, as of 1st August, we're tracking 95 (last month: 113)
open issues across 42 projects, median age 112 (last month: 92)
days. 59 of those issues have CVE names assigned.
9 (last month: 10) of these issues, across 8 projects, are older
than 365 days. We continue to work with these projects to get
these closed out.
Continued work on incoming security issues, keeping projects reminded
of outstanding issues, and general oversight and advice.
Stats for June 2018:
13 [license confusion]
8 [support request/question not security notification]
Security reports: 39 (last months: 55, 54, 47)
3 [httpd]
3 [ignite]
2 [griffin],[lucene],[qpid],[struts],[tomcat]
1 [aurora],[bval],[commons],[cxf],[directory]
[fineract],[geode],[gulp],[hadoop],[hive],[kafka]
[metron],[nifi],[ofbiz],[openwhisk],[pdfbox]
[poi],[sling],[spark],[storm],[trafficserver]
[uima],[zookeeper]
Continued work on incoming security issues and helping projects clean
up the backlog of old issues and outstanding CVE names. Signifcant
co-ordination work happened in April and May based on the "Zip Slip"
flaws reported by Snyk that were reported in more than a dozen ASF
projects. In most cases these were not found to be security
vulnerabilities, and the affected code was fixed or removed.
Stats for May 2018:
6 [license confusion]
21 [support request/question not security notification]
Security reports: 55 (last months: 54, 47, 40)
5 [tomcat]
4 [hadoop]
3 [httpd]
3 [nifi]
2 [hbase], [ignite], [mesos], [spark], [tika]
1 [activemq], [apex], [beam], [bigtop], [cassandra],
[gobblin], [guacamole], [hive], [incubator/heron],
[incubator/superset], [incubator/systemml], [infrastructure],
[jackrabbit], [jmeter], [kafka], [lucene], [metron],
[openoffice], [orc], [qpid], [reef], [sentry], [spamassassin],
[storm], [struts], [tapestry], [trafficserver], [xerces],
[xmlgraphics], [yetus]
Continued work on incoming security issues and helping projects clean
up the backlog of old issues and outstanding CVE names.
Stats for April 2018:
17 [license confusion]
11 [support request/question not security notification]
Security reports: 54 (last months: 47, 40)
6 [httpd]
3 [storm]
3 [struts]
2 [geode]
2 [guacamole]
2 [hadoop]
2 [openoffice]
2 [tika]
2 [tomcat]
2 [zeppelin]
1 [accumulo],[activemq],[airavata],[ambari],[ant],[apex]
[bookkeeper],[camel],[cloudstack],[commons],[cordova]
[couchdb],[directory],[hive],[incubator/dubbo],[incubator/pulsar]
[incubator/taverna],[incubator/weex],[infrastructure]
[kylin],[maven],[metron],[nifi],[ofbiz],[spark],[thrift]
[trafficserver],[zookeeper]
@Roman: start discussion with members on how to deal with unaddressed security vulnerabilities
Continued work on incoming security issues and helping projects clean
up the backlog of old issues and outstanding CVE names.
Stats for March 2018:
5 [license confusion]
21 [support request/question not security notification]
Security reports: 47 (last month 40)
4 [activemq]
3 [nifi]
3 [httpd]
2 [cloudstack]
2 [commons]
2 [hadoop]
2 [openoffice]
2 [zeppelin]
2 [infrastructure(site)]
1 each [airavata],[atlas],[bookkeeper],[couchdb],[fineract],[guacamole],
[helix],[hive],[incubator/dubbo],[incubator/ripple],[incubator/skywalking],
[jmeter],[mynewt],[openmeetings],[qpid],[spamassassin],[struts],[syncope]
[taverna],[tika],[tomcat],[trafficserver],[vcl],[wicket]
Continued work on incoming security issues and helping projects clean
up the backlog of old issues and outstanding CVE names. Meanwhile we
continue being responsive to new security@ emails, with all issues
recently handled by next working day (and most within hours).
* 2018-03-01 there were 117 open issues across 58 projects with median
ages 84 days (2018-02-01 there were 142 open issues across 59
projects with median age 89 days). (Around a dozen are github
dependancies that mostly will have no security consequence)
* 2018-03-01 there are only 3 CVE not yet in Mitre CVE database from
before Apache became a CNA in 2017. This is down from 133 when we
started the cleanup on 2017-05-09.
Stats for February 2018.
10 [license confusion]
9 [support request/question not security notification]
Security reports: 40
3 [hadoop]
3 [openoffice]
2 [hive]
2 [lucene]
2 [ofbiz]
2 [spamassassin]
2 [tomcat]
2 [struts]
1 each [allura],[ambari],[beam],[brooklyn],[camel],[derby]
[geode],[guacamole],[incubator/hawq],[incubator/superset]
[infrastructure],[juddi],[kafka],[knox],[nifi],[portals]
[ranger],[spark],[synapse],[thrift],[xerces],[zeppelin]
The new system for handling incoming issues implemented in January is
working very well. This, along with extra time commitment from
security team members every day. has led to all incoming issues being
dispatched within 24 hours (and often much less). In the past it
could take a day or two, and the occasional issue would get mislaid
and could weeks. We've implemented automated scripts for tracking
metrics and therefore stats of the number of issues for months of both
December and January are included this time.
* As of 2018-02-01 there were 142 open issues across 59 projects with
median age 89 days. (From 185 issues, 61 projects, 134 days
on 2018-01-01). We continue to work on the older issues, many
of which were released but never completed fully, or non-issues
that were not closed correctly.
Stats for January 2018.
10 [license confusion]
9 [support request/question not security notification]
Security reports: 66
4 [httpd]
3 [hive]
3 [couchdb]
3 [tomcat]
3 [infrastructure]
2 [incubator/taverna]
2 [geode]
2 [lucene]
2 [ambari]
2 [cordova]
2 [openoffice]
2 [qpid]
2 [sling]
2 [spamassassin]
2 [struts]
1 each [allura],[ant],[axis],[bookkeeper],[camel],[cloudstack]
[commons],[datafu],[eagle],,[fineract],[flink],[hadoop]
[incubator/skywalking],[incubator/spot],[kafka],[livy]
[mesos],[metron],[myriad],[ode],[predictionio],[samza]
[storm],[tomee],[vcl],[weex],[whimsy],[ws],[xerces],[yetus]
(Note there is a slight spike in incoming issues as we include the new
github automated notifications -- although most of these are benign and
closed quickly)
Stats for December 2017.
11 [support request/question not security notification]
7 [license confusion]
1 [confused why our web sites have open directories, source code etc]
Security reports: 38
5 [httpd]
4 [incubator/airflow]
2 [hadoop]
2 [openoffice]
2 [struts]
1 each [activemq],[deltaspike],[flink],[fluo],[groovy],[ignite]
[incubator/mxnet],[jackrabbit],[kudo],[mina],[ofbiz]
[openmeetings],[qpid],[ranger],[sling],[synapse],[tomcat]
[trafficserver],[weex],[whimsy],[wicket],[yarn],[zeppelin]
At the end of 2017 we switched to using a shared gmail account for handling security@apache mail with use of labels to track issues. This has already started to have a positive effect stopping the handlers duplicating effort and allowing us to better track issues that still need actions. The metrics I usually include in the board report are a by-product of a monthly walkthrough of the mailbox to spot any missed issues. The new handling system does not require this monthly walkthrough and so there are no stats this month. However we're working on scripts to reinstate this, as well as provide more useful stats for board oversight. One of these reports we can now automatically create is an aging report showing the number of outstanding security issues per project and how long they have been open: * As of 2008-01-01 there were 185 open security issues across 61 projects with median age 134 days This metric is created automatically and each of the issues has not been checked for accuracy. We're working our way through these in the coming weeks to determine the state and then our future board reports can highlight projects where we have concerns (i.e. with large numbers of open issues or generally unresponsive).
Stats for November 2017: 15 CVEs issued to projects (some may not be public yet). e-mails to security@ 7 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 2 Support Questions 13 Direct Vulnerability report to security@apache.org 2 [commons] 1 [activemq] 1 [synapse] 1 [drill] 1 [zeppelin] 1 [continuum] 1 [hadoop] 1 [geronimo] 1 [oozie] 1 [httpd] 1 [drill] 1 [site] rejected 11 Vulnerabilities reported to projects 1 [sling] 1 [qpid] 2 [httpd] 2 [struts] 1 [hadoop] 2 [tomcat] 1 [guacamole] 1 [hive]
This month we had a researcher incorrectly report an issue in Solr/lucene by sending it not just to security@apache.org but also to public mailing lists. CVE-2017-12629. This information included an exploit and spread rapidly. Updates from the project to mitigate this were produced rapidly and we worked with Press to ensure we had a media response. Stats for October 2017: 11 CVEs issued to projects (some may not be public yet). e-mails to security@ 7 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 5 Support Questions 13 Direct Vulnerability report to security@apache.org 5 [ignite] 1 [jmeter/activemq] 1 [james] 2 [solr] 1 [httpd] 2 [site] 1 rejected 1 [commons] 10 Vulnerabilities reported to projects 1 [hive] 1 [nifi] 2 [couchdb] 3 [geode] 1 [cloudstack] 1 [aurora] 1 [tomcat]
Various statements around Struts issues this month for press and for https://blogs.apache.org/foundation/entry/responses-to-questions-from-us and the security@struts list gained a lot of requests for clarifications around various public issues. Stats for September 2017: 13 CVEs issued to projects (some may not be public yet). e-mails to security@ 3 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 2 Support Questions 9 Direct Vulnerability report to security@apache.org 3 [httpd] 1 [apr] 1 [commons] 1 [karaf] 1 [spark] 1 [zookeeper] 1 [tomcat] 21 Vulnerabilities reported to projects 14 [tomcat] (many the same already public issue, many others rejected) 4 [struts] 1 [nifi] 1 [aoo] 1 [hive]
We've started an audit of the various security@[tlp] lists to ensure that only active project members and PMC members are subscribed. Stats for August 2017: 7 CVEs issued to projects (some may not be public yet). e-mails to security@ 5 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 4 Support Questions 13 Direct Vulnerability report to security@apache.org 1 [httpd] 1 [zepplin] 2 [mesos] 1 [apr/subversion] 1 [batik] 2 [airflow] 2 [site] rejected 1 [opennlp] 1 [xerces] 1 [drill] 7 Vulnerabilities reported to projects 1 [httpd] 2 [kafka] 1 [cloudstack] 1 [zookeeper] 1 [nifi] 1 [hadoop]
Stats for July 2017: We contacted Mitre to start working on the CVE backlog (where a CVE was assigned but the information is not yet available on the Mitre site). Part of the backlog (where issues were public before Oct 2016) relies on Mitre writing up the description. The rest depends on our projects filling in the missing information, and we started contacting projects to get them to do that. We'll give metrics on how that is going in future reports. 11 CVEs issued to projects (some may not be public yet). e-mails to security@ 7 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 6 Support Questions 6 Direct Vulnerability report to security@apache.org 1 [site] rejected 1 [ambari] 1 [httpd] 1 [solr] 1 [tomcat] 1 [camel] 14 Vulnerabilities reported to projects 1 [cloudstack] 1 [spark] 4 [geode] 1 [httpd] 2 [struts] 1 [couchdb] 1 [kafka] 1 [nifi] 1 [zookeeper] 1 [hadoop]
Stats for June 2017: 12 CVEs issued to projects (some may not be public yet). e-mails to security@ 1 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 11 Direct Vulnerability report to security@apache.org 1 [site] rejected 1 [ignite] 1 [apr] 2 [ranger] 1 [zeppelin] 1 [ambari] 1 [commons] 1 [axis2] rejected 1 [httpd] 1 [hadoop] 7 Vulnerabilities reported to projects 3 [httpd] 1 [couchdb] 1 [kafka] 1 [struts] 1 [couchdb]
Stats for May 2017: 16 CVEs issued to projects (some may not be public yet). e-mails to security@ 7 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 7 Direct Vulnerability report to security@apache.org 2 [site] rejected 1 [cordova] 2 [solr] 2 [httpd] (1 rejected) 8 Vulnerabilities reported to projects 6 [openmeetings] 1 [trafficserver] 1 [trafficcontrol]
Now Apache is a CVE Candidate Naming Authority we're starting to clear up old CVE names which were given to various TLP over the last 9 years and that are either public and not yet at cve.mitre.org, or are not public due to various reasons (still in progress, rejected, etc). Stats for April 2017: 7 CVEs issued to projects (some may not be public yet). e-mails to security@ 6 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 2 Support question 8 Direct Vulnerability report to security@apache.org 2 [fineract] 1 [cayenne] 1 [site] 1 [logging] 1 [tika] 1 [thrift] 1 [openmeetings] 10 Vulnerabilities reported to projects 5 [cloudstack] 3 [tomcat] 1 [trafficcontrol] 1 [hadoop]
Stats for March 2017: 11 CVEs issued to projects (some may not be public yet). e-mails to security@ 12 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 1 Support question 10 Direct Vulnerability report to security@apache.org 3 [poi] 1 [infrastucture] 1 [deltacloud] 1 [struts] 1 [axis] 1 [logging] 1 [ambari] 1 [cxf] 13 Vulnerabilities reported to projects 1 [hive] 1 [httpd] 1 [stark] 1 [cloudstack] 3 [struts] (+many more asking if RCE affected 1.x) 2 [tomcat] 3 [openoffice] 1 [impala]
Stats for Feb 2017: 8 CVEs issued to projects (some may not be public yet). e-mails to security@ 2 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 2 Support question 10 Direct Vulnerability report to security@apache.org 3 [site] (3 rejected) 1 [httpd] 1 [hbase] (rejected) 1 [ranger] 1 [flex] 1 [struts] 1 [camel] 1 [karaf] 9 Vulnerabilities reported to projects 1 [ambari] 1 [httpd] (rejected, was PHP) 1 [zookeeper] 2 [tomcat] 1 [brooklyn] 1 [apex] 1 [struts] 1 [ofbiz]
Stats for January 2016: 10 CVEs issued to projects (some may not be public yet). e-mails to security@ 8 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 2 Support question 10 Direct Vulnerability report to security@apache.org 3 [httpd] (1 rejected) 2 [ambari] 1 [archiva] 1 [activemq] 1 [cordova] 1 [axis] (rejected) 1 [lucene] 4 Vulnerabilities reported to projects 2 [struts] (1 rejected) 1 [httpd] (already fixed) 1 [couchdb]
Stats for December 2016: 5 CVEs issued to projects (some may not be public yet). e-mails to security@ 8 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 1 Security vulnerability question, but not a vulnerability report 13 Direct Vulnerability report to security@apache.org 1 [brooklyn] 1 [camel] 1 [openmeetings] 1 [couchdb] 1 [lucene] 1 [ant] 1 [apr] 1 [tomee] 1 [camel] 2 [site] rejected 1 [httpd] 1 [cxf] 8 Vulnerabilities reported to projects 1 [struts] 4 [httpd] 1 [nifi] 1 [hadoop] 1 [ofbiz]
The team is still trying to followup on issues reported via security@ to projects that do not seem to have been dealt with. While in many cases this leads to action (or formally closing an issue), there are still some without action which we will raise to the board in due course. We're hoping to find better automated methods of tracking and reporting on these. Stats for November 2016: 5 CVEs issued to projects (some may not be public yet). e-mails to security@ 4 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 1 Security vulnerability question, but not a vulnerability report 2 Support question 9 Direct Vulnerability report to security@apache.org 1 [ambari] 1 [lucene] 1 [httpd] 1 [xmlgraphics] 1 [karaf] no response to reporter, OP disclosed after 7 days 1 [site] rejected 1 [axis] 1 [cxf] 1 [commons] 5 Vulnerabilities reported to projects 1 [hadoop] 1 [struts] 2 [httpd] 1 [tomcat]
The team is still trying to followup on issues reported via security@ to projects that do not seem to have been dealt with. While in many cases this leads to action (or formally closing an issue), there are still some without action which we will raise to the board in due course. We're hoping to find better automated methods of tracking and reporting on these. Stats for October 2016: 2 CVEs issued to projects (some may not be public yet). e-mails to security@ 15 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to "Apache" mentioned in OSS licenses 1 Security vulnerability question, but not a vulnerability report 2 Support question 1 Direct Vulnerability report to security@apache.org 1 [site] 7 Vulnerabilities reported to projects 1 [zookeeper] 1 [tomcat] 2 [hadoop] 2 [aoo] 1 [cloudstack]
Stats for September 2016: x11 CVEs issued to projects (some may not be public yet). e-mails to security@ 6 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 2 Security vulnerability question, but not a vulnerability report 2 Support question 3 Direct Vulnerability report to security@apache.org 1 [commons] 1 [axis] 1 [groovy] 4 Vulnerabilities reported to projects 1 [zookeeper] 1 [hadoop] 1 [httpd] 1 [activemq]
In August the Apache Security Team became an official Mitre Candidate Naming Authority (CNA). Previously we were giving blocks of CVE names to use by Red Hat on request. Now we have our own block of CVE names direct from Mitre and are known as the official source when anyone asks for a CVE name for any non-public vulnerability in any ASF project. (This change has minimal process or operational impact at this time, it also was never obvious where the block came from or the relationship with Red Hat, so we don't intend any public-visible commentary about this change). Stats for August 2016: 11 CVEs issued to projects (some may not be public yet). e-mails to security@ 9 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 4 Security vulnerability question, but not a vulnerability report 9 Direct Vulnerability report to security@apache.org 1 [thrift] 4 [site] (rejected) 1 [jackrabbit] 1 [cordova] 1 [brooklyn] 1 [httpd] 7 Vulnerabilities reported to projects 2 [httpd] 1 [struts] 1 [tomcat] 1 [hadoop] 1 [sling] 1 [trafficserver]
Stats for July 2016: 10 CVEs issued to projects (some may not be public yet). e-mails to security@ 7 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 12 Direct Vulnerability report to security@apache.org 1 [httpd] (httpoxy) 1 [ofbiz] 1 [wicket] 1 [tika] 1 [axis] 1 [myfaces] 3 [site] (comments.apache.org valid issue addressed, 1 rejected, 1 open) 1 [ranger] 1 [blazeds] 13 Vulnerabilities reported to projects 3 [httpd] 3 [tomcat] 3 [openoffice] 1 [struts] 1 [hadoop] 1 [sling] 1 [hadoop]
Currently Apache allocates CVE names from a pool of names given to us by Red Hat, with Red Hat being the offical Candidate Naming Authority (CNA). We approached Mitre some years ago with a view to becoming our own CNA so we get our own blocks of names. We've kickstarted this process again and hope to conclude it by the next report. Stats for June 2016: 14 CVEs issued to projects (some may not be public yet). e-mails to security@ 8 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 10 Direct Vulnerability report to security@apache.org 1 [httpd] (rejected) 2 [site] (rejected) 1 [qpid] 1 [ofbiz] 1 [cxf] 1 [solr] 1 [poi] 1 [directory] 1 [various] (rejected) 18 Vulnerabilities reported to projects 2 [httpd] 8 [struts] (some rejected) 1 [hadoop] 3 [tomcat] (all rejected) 2 [openoffice] 1 [cloudstack] 1 [cordova]
Following from the discussion from Mark Thomas at last board mtg we discussed a plan for handling of security issues that are repeatedly ignored by a PMC (determined by history of dealing with the PMC/issue severity/issue history). We will draft a mail ready to be sent to the issue reporter which outlines the steps we made to contact the PMC and our suggested next action (usually that the reporter posts the details of the issue public in some forum such as the oss-security list). That draft will be sent to the PMC as our final attempt to get the PMC to respond and work with the reporter, and after some further period of inactivity will be sent to the reporter and recorded in the next board report. Stats for May 2016: 10 CVEs issued to projects (some may not be public yet). e-mails to security@ 3 Support questions 2 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 12 Direct Vulnerability report to security@apache.org 1 [juddi] 1 [comdev] 2 [site] rejected 1 [ranger] 1 [qpid] 1 [axis] 1 [wicket] 1 [flex] 1 [openmeetings] 1 [oozie] 1 [archiva] 1 Vulnerabilities reported to projects 1 [commons]
Stats for Apr 2016: 9 CVEs issued to projects (some may not be public yet). e-mails to security@ 3 Support questions 3 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 9 Direct Vulnerability report to security@apache.org 3 [site] rejected 1 [santuario] 1 [tika] 1 [continuum] 1 [trafficserver] 1 [myfaces] 1 [activemq] 7 Vulnerabilities reported to projects 4 [struts] 1 [aoo] 2 [ambari]
A little progress has been made reviewing historical reports. We have now gone back as far as mid-March 2015. The current intention is to continue back into 2014 but how far back will be determined by the rate at which overlooked issues are uncovered. The security team has been evaluating https://srcclr.com/. While it is an improvement on similar tools and has enabled a handful of projects to indentify vulnerable dependencies, it currently lacks the features required for it to be useful without being overly burdensome at the ASF. These features are expected to be made available shortly at which point the security team will re-evaluate. The security team is currently tracking 72 open issues. Not all of these have been confirmed as valid and it is likely some will be rejected. Some TLPs have failed to respond to vulnerability reports and/or requests from the security team for updates. Stats for Mar 2016: 15 CVEs issued to projects (some may not be public yet). Just over 1000 e-mails to security@ 2 Support questions 6 Questions about published security vulnerabilities 3 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 11 Direct Vulnerability report to security@apache.org 1 [activemq] 1 [cocoon] 1 [commons] 1 [httpd] 1 [jspwiki] 1 [mina] 1 [openmeetings] 1 [qpid] 1 [shiro] 1 [tomcat] 1 [tomee] 14 Vulnerabilities reported to projects 1 [apex] 1 [cloudstack] 1 [hadoop] 5 [httpd] 5 [struts] 1 [trafficserver]
@Jim: follow up with APR
The team continues to answer requests to security@ and redirect as appropriate. For Feb 2016: 3 Security vulnerability question, but not a vulnerability report 3 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 7 Direct Vulnerability report to security@apache.org 2 [site] (both addressed) 1 [tomcat] 1 [commons] 1 [jackrabbit] 1 [xerces] 1 [httpd] 6 Vulnerabilities reported to projects 1 [sentry] 1 [struts] 2 [commons] 1 [openoffice] 1 [couchdb]
Greg: How is the review of old reports/follow-through going?
Mark: The exercise is proving to be useful. I intend to keep working back through the archive for as long as it continues to be useful. So far I've gone back a year.
The team continues following up on older reports direct to security@ and ensuring they have been handled by the respective PMCs. Stats for Jan 2016: 2 Support question 2 Security vulnerability question, but not a vulnerability report 8 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 9 Direct Vulnerability report to security@apache.org 2 [xerces] 1 [site] 1 [cordova] 2 [commons] 1 [jetspeed] 1 [httpd] 1 [activemq] 7 Vulnerabilities reported to projects 1 [httpd] 3 [tomcat] 2 [aoo] 1 [sling]
Given recent issues with some teams neglecting security reports, the team has started going back over older reports and ensuring they have been handled by the respective PMCs. One issue affecting Ranger Policy Admin server was allocated CVE-2015-5167 but after 5 months our requests to private@ranger.incubator.apache.org for updates have not been responded to. Raising this for board attention. Stats for Dec 2015: 2 Support question 11 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 3 Direct Vulnerability report to security@apache.org 3 [affecting web sites] 15 Vulnerabilities reported to projects 1 [cloudstack, via security@cloudstack] 6 [tomcat, via security@tomcat] 3 [httpd, via security@httpd] (one not ASF issue) 1 [aoo site, via security@openoffice] 2 [aoo, via officesecurity@lists.freedesktop.org] 2 [aoo, via security@openoffice]
Apologies for lack of report last month and late report this time, due to a process issue (the trigger to commit the report used to be the "Is Now Due" mail which have not been received in recent months). However, there were no significant issues to report. Given recent issues with some teams ignoring security reports, the team has started going back over older reports and ensuring they have been handled by the respective PMCs. Stats for Oct 2015: 1 Support question 3 Security vulnerability question, but not a vulnerability report 7 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 1 vulnerability report [httpd, via security@] 2 vulnerability report [tomcat, via security@tomcat] 1 vulnerability report [flex, via security@] 1 vulnerability report [hadoop, via security@hadoop] Stats for Nov 2015: 3 Support question 2 Security vulnerability question, but not a vulnerability report 13 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses 1 vulnerability report [hadoop, via security@hadoop] 1 vulnerability report [jetty, via security@] 1 vulnerability report [infra, via security@] not an issue 1 vulnerability report [beanutils, via security@] 5 vulnerability reports [httpd, via security@] none are issues 1 vulnerability report [sling, via security@] 1 vulnerability report[hadoop, via security@] 1 vulnerability report [ofbiz, via secuirty@] 1 vulnerability report [php, via security@] redirected to PHP project
A report was expected, but not received
Some concern last month due to non-response of TomEE to a security issue we passed to the PMC list on 21st May 2015 which had no response or ack to date. Please can board remind TomEE PMC of their need to follow the security process in a timely manner. Short stats for September 2015, a very quiet month in which we received: 6 Support question 3 Security vulnerability question, but not a vulnerability report 10 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses Vulnerability reports to security@apache.org: 1 [httpd] (rejected, bug only)
Short stats for August 2015, we received: 1 Support question 9 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses Vulnerability reports to security@apache.org: 1 [tomcat] closed, user error 1 [ambari] 2 [httpd] Vulnerability reports direct to projects: 1 [aoo, via officesecurity@freedesktop] 2 [struts, via security@stuts] 1 [sentry, via security@sentry]
Short stats for July, we received: 2 Security vulnerability question, but not a vulnerability report 9 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses Vulnerability reports: 1 [cloudstack, via security@cloudstack] 1 [couchdb, via security@couchdb] 1 [struts, via security@struts] 1 [hive, via security@hive] 1 [commons, via security@ and direct] 1 [httpd, via security@] 1 [thrift, via security@] 1 [trafficserver, via security@] 1 [blaze, via security@] 1 [apr, via security@] 1 [groovy via security@] 1 [alurra, via security@]
Yann Ylavic joined security committee. Short stats for June. We received: 3 Support question 20 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses Vulnerability reports: 2 [struts, via security@struts] (1 rejected) 2 [notus, via security@] redirected to php 2 [httpd, via security@httpd] 1 rejected 2 [aoo, via officesecurity@lists.freedesktop.org] 1 [aoo, via security@] rejected 1 [ambari, via security@] 1 [poi, via security@] 1 [hadoop, via security@hadoop] 1 [xalan, via security@] 1 [camel, via security@] 1 [site, via security@] rejected 1 [directory, via security@] 1 [sling, via security@sling] 1 [groovy, via security@] 1 [activemq, via security@]
Short stats for May. We receive: 1 Support question 6 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses Vulnerability reports: 3 [httpd, via security@] (1 rejected) 1 [axis, via security@] 1 [site, via security@] rejected 1 [jackrabbit, via security@] 1 [activemq, via security@] 1 [various, via security@] 1 [tomee, via security@] 1 [hive, via security@hive] rejected 1 [struts, via security@struts]
Quick stats for April: 1 Support question 18 Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses Vulnerability reports: 1 [httpd, via security@httpd] 1 [struts, via security@struts] 2 [cordova, via private@cordova] 1 [httpd, via security@httpd] 2 [site, via security@] server-status again rejected 1 [cordova, via security@] It was noticed that Axis PMC have not responded to all the security issues forwarded to them, and those that have were not correctly cc'd to security@. We would suggest the board remind Axis PMC of the responsibility in handling external security vulnerability notifications. It was noticed that there was an issue with communication with Xerces PMC, this was found to be partially due to the failure to moderate messages to private@. No board action required. In the past month the Apache Tomcat project became aware of two instances where embargoed Tomcat security vulnerability information was accidentally published by Red Hat. After discussions with Red Hat, the Tomcat team are confident that both publications had the same root cause; that procedures have been put in place by Red Hat to prevent similar errors occurring again; and that no further action is required.
There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. March 2015 3 Support Question 5 Confused user probably due to Android licenses 11 Vulnerability reports to security@apache.org 3 [site] rejected 2 [httpd] 1 [solr] 1 [camel] 1 [ambari] 1 [activemq] 1 [flex] 1 [cordova] 5 Vulnerability reports to projects own security lists 1 [sling] 1 [hive] 1 [httpd] 1 [struts] 1 [tomcat] rejected
There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. http://apache.org/security/committers.html updated to explain CVE name progress February 2015 3 Confused user probably due to Android licenses 7 Vulnerability reports to security@apache.org 2 [xerces] 1 [wink] 1 [trafficserver] 1 [ant] 1 [httpd] 1 [commons] 4 Vulnerability reports to projects own security lists 1 [svn] 1 [cloudstack] 1 [aoo] 1 [sling]
There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. January 2015 2 Support question 2 Security vulnerability question, but not a vulnerability report 6 Confused user probably due to Android licenses 8 Vulnerability reports to security@apache.org 2 [tomcat] (1 rejected) 1 [xerces] 1 [site] rejected 1 [cassandra] 1 [batik] 1 [httpd] 1 [roller] 4 Vulnerability reports to projects own security lists 1 [hadoop] 2 [tomcat] 1 [struts]
We see a number of confused messages come to security@ every week
where people say they have been hacked, or they never installed our
software. These were different to what happened in previous years
when people saw "powered by Apache" on a web page that was in outage
and thought we'd hacked them.
In December we emailed a number of these people (we usually ignore
them) to try to figure out what they were seeing. Only one responsed
to me, and we figured out that what they saw was a license page for
"Guava" on their Android mobile. The Guava license mentions it's
under the Apache License. The user didn't know what Guava was, didn't
remember installing it (they didn't), and assumed that whatever other
things were happening on their handset was the result of this
software.
Aside from these; there continues to be a steady stream of reports of
various kinds arriving at security@. These continue to be dealt with
by the security team.
December 2014
2 Support questions
5 Phishing/spam/proxy/attacks point to site "powered by Apache" or Android
license bundle
8 Vulnerability reports to security@apache.org
2 [httpd]
2 [site] rejected
1 [cxf]
1 [camel/dozer]
1 [qpid]
1 [xerces]
3 Vulnerability reports to projects own security lists
1 [oo]
2 [tomcat] (1 rejected)
There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. November 2014 1 Security vulnerability question, but not a vulnerability report 6 Vulnerability reports to security@apache.org 2 [httpd] 1 [site] rejected 1 [xerces] 1 [trafficserver] 1 [tomcat] 7 Vulnerability reports to projects own security lists 2 [struts] 2 [oo] 1 [couchdb] 1 [cloudstack] 1 [spamassassin]
September 2014 3 Support question 1 Security vulnerability question, but not a vulnerability report 11 Vulnerability reports to security@apache.org 3 [tomcat] (1 invalid) 2 [site] rejected 1 [cordova] 1 [httpd] rejected 1 [james] 1 [activemq] 1 [solr] 1 [qpid] 8 Vulnerability reports to projects own security lists 3 [cloudstack] 2 [oo] 1 [trafficserver] 1 [hadoop] 1 [hive]
Apologies for lack of report last month; I used to trigger the commit on receiving the 2nd reminder. There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. Some press and researchers believed there was a new Apache worm, but it wasn't: http://bighacks.net/chroot-apch0day-apache-exploit-explained/ The Bash vulnerabilities CVE-2014-6271(etc) are being actively exploited via Apache httpd, most commonly where sites have CGI scripts written in Bash. (The exploit conditions does limit the number of affected servers) August 2014 1 Support question 4 Security vulnerability question, but not a vulnerability report 11 Vulnerability reports to security@apache.org 7 [website] (5 invalid) 1 [activemq] 1 [axis] 1 [hadoop] 1 [httpd] 5 Vulnerability reports to projects own security lists 1 [openoffice] 1 [tomcat] 1 [cloudstack] 1 [poi] 1 [svn] September 2014 2 Support question 2 Security vulnerability question, but not a vulnerability report 9 Vulnerability reports to security@apache.org 2 [httpd] (1 invalid) 1 [commons] 1 [website] (invalid) 1 [camel] 1 [spark] 1 [ambari] 1 [subversion] 1 [spamassassin] (invalid) 5 Vulnerability reports to projects own security lists 1 [struts] (invalid) 1 [openoffice] 1 [tomcat] 1 [hadoop] 1 [sling] (rejected)
A report was expected, but not received
There continues to be a steady stream of reports of various kinds arriving at security@ in July. These continue to be dealt with by the security team. July 2014 1 Support question 1 Phishing/spam/proxy/attacks point to site "powered by Apache" 11 Vulnerability reports to security@apache.org 3 [website] (closed, invalid) 2 [trafficserver] 2 [httpd] 1 [hc] 1 [solr/poi/tika] 1 [axis] 1 [activemq] 6 Vulnerability reports to projects own security lists 2 [tomcat] 1 [subversion] 1 [sling] 1 [struts] 1 [openoffice]
There continues to be a steady stream of reports of various kinds arriving at security@ in April. These continue to be dealt with by the security team. Apologies for lack of update last month due to a missed reminder. You'll notice a trend for reports against the Apache website which are so far all false positives caused by people who run third party scanning tools and don't bother to interpret the results (for example reporting that you can access a directory listing). These also included reports that www.apache.org had a public server status page, which although deliberate for many years, we asked infrastructure to remove (and is now done). May 2014 13 Vulnerability reports to security@apache.org 8 [website] (all 8 closed, invalid) 1 [karaf] 1 [axis] (rejected) 1 [commons] 1 [httpd] 1 [trafficserver] 6 Vulnerability reports to projects own security lists 2 [tomcat] 1 [couchdb] 1 [hive] 1 [hadoop] 1 [struts] June 2014 8 Support question 3 Phishing/spam/proxy/attacks point to site "powered by Apache" 11 Vulnerability reports to security@apache.org 8 [website] (8 closed, invalid) 1 [shindig] (closed, invalid) 1 [ofbiz] 1 [cordova] 6 Vulnerability reports to projects own security lists 3 [tomcat] 1 [struts] (closed, not issue) 1 [cloudstack] 1 [httpd]
A report was expected, but not received
There continues to be a steady stream of reports of various kinds arriving at security@ in April. These continue to be dealt with by the security team. April 2014 1 Support question 2 Phishing/spam/proxy/attacks point to site "powered by Apache" 2 Security vulnerability question, but not a vulnerability report 9 Vulnerability reports to security@apache.org 3 [website] (3 closed, invalid) 1 [axis] 1 [maven] (closed, invalid) 1 [httpd] 1 [solr] 1 [poi] 1 [struts] 9 Vulnerability reports to projects own security lists 6 [struts] (1 closed, not issue) 1 [cloudstack] 1 [hadoop] (closed, invalid) 1 [tomcat]
There continues to be a steady stream of reports of various kinds arriving at security@ in March. These continue to be dealt with by the security team. March 2014 1 Support question 2 Phishing/spam/proxy/attacks point to site "powered by Apache" 8 Vulnerability reports to security@apache.org 1 [traffic-server] 3 [website] (closed, not issue) 2 [httpd] (closed, not issue) 1 [couchdb] (complete) 1 [syncope] (in progress) 4 Vulnerability reports to projects own security lists 2 [hadoop] 1 [geronimo] 1 [httpd]
There continues to be a steady stream of reports of various kinds arriving at security@ in Feb. These continue to be dealt with by the security team. Feb 2014 3 Support question 1 Security vulnerability question, but not a vulnerability report 11 Vulnerability reports to security@apache.org 1 [traffic server] 1 [logging] 1 [poi] 1 [archiva] 3 [httpd] 2 [cordova] 1 [cxf] 1 [tomcat] 4 Vulnerability reports to projects own security lists 1 [sling] 1 [struts] 2 [tomcat]
There continues to be a steady stream of reports of various kinds arriving at security@ in Jan. These continue to be dealt with by the security team. Some effort was made this month to start to chase some old issues which we forwarded to projects but were there was no visible progress. One of these was escalated to the board after the reporter had no response for 6 months (the discussion was ongoing at the time of this report, but in general the difficulty is where a PMC does not have complete technical coverage of the project, in these cases we should make sure the PMC build a separate security team of the folks who can handle issues. This is in no way an ASF-only issue, we see exactly the same problems with other upstreams including Linux kernel etc.) Jan 2014 1 Security vulnerability question, but not a vulnerability report 4 Phishing/spam/proxy/attacks point to site "powered by Apache" 5 Vulnerability reports to security@apache.org 1 [cordova] 1 [directory] 1 [roller] 1 [archiva] 1 [shiro] 10 Vulnerability reports to projects own security lists 2 [tomcat] 2 [camel] 2 [struts] 1 [cloudstack] 2 [aoo] 1 [hadoop]
There continues to be a steady stream of reports of various kinds arriving at security@ in Nov/Dec. These continue to be dealt with by the security team. Nov 2013 4 Support question 1 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 19 Vulnerability Reports 1 [axis, via security@apache.org] 1 [hadoop, via security@hadoop] 1 [sling, via security@sling] 1 [tomcat, via security@tomcat] 15 [cloudstack, via security@cloudstack] Dec 2013 3 Support question 1 Security vulnerability question, but not a vulnerability report 9 Phishing/spam/proxy/attacks point to site "powered by Apache" 8 Vulnerability reports 1 [tomcat, via security@tomcat] 1 [site, via security@] 2 [httpd, via security@] 1 [cordova, via security@] 2 [commons, via security@] 1 [roller, via security@]
A report was expected, but not received
There continues to be a steady stream of reports of various kinds arriving at security@ in October. These continue to be dealt with by the security team. 1 Support question 5 Security vulnerability question, but not a vulnerability report 2 Phishing/spam/attacks point to site "powered by Apache" 9 Vulnerability Reports 1 [httpd, via security@] 1 [aoo, via security@openoffice] 1 [cloudstack, via security@cloudstack] 4 [tomcat, via security@tomcat] 2 [hadoop, via security@hadoop] Microsoft, Facebook, and others launched a program offering a bug bounty for flaws found in Apache httpd, https://hackerone.com/ibb designed to run without interaction or endorsement by the ASF, but we'll report how that actually works out in future months.
There continues to be a steady stream of reports of various kinds arriving at security@, a large number of reports in October. These continue to be dealt with by the security team. 2 Support question 2 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 14 Vulnerability Reports 4 [httpd, via security@] 1 [tomee, via security@] 3 [struts, via security@] 1 [xbean, via security@] 1 [camel, via security@] 1 [wink, via security@] 2 [struts, via security@struts] 1 [sling, via security@sling]
There continues to be a steady stream of reports of various kinds arriving at security@, a large number of reports in August. These continue to be dealt with by the security team. 3 Support question 3 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 19 Vulnerability Reports 1 [struts, via security@] 4 [httpd, via security@] 1 [shindig, via security@] 1 [tomcat, via security@] 1 [xalan-j, via security@] 1 [hadoop, via security@hadoop] 3 [struts, via security@struts] 2 [tomcat, via security@tomcat] 3 [cloudstack, via security@cloudstack] 1 [sling, via security@sling] 1 [svn, via security@subversion]
There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 1 Support question 1 Security vulnerability question, but not a vulnerability report 4 Phishing/spam/attacks point to site "powered by Apache" 7 Vulnerability reports 3 [struts, via security@struts] 1 [infrastructure, via security@] 1 [sling, via security@sling] CVE-2013-2254 1 [roller, via security@] 1 [jackrabbit, via security@]
There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 3 Support question 2 Phishing/spam/attacks point to site "powered by Apache" 15 Vulnerability reports 2 [aoo, via officesecurity@lists.freedesktop.org] [1 closed] 1 [sling, via security@sling] 2 [httpd, via security@] [CLOSED] 1 [cloudstack, via security@cloudstack] 1 [hadoop, via security@hadoop] 1 [archiva, via security@] 1 [various, via security@] [CLOSED] 2 [ofbiz, via security@] 1 [tomcat, via security@] 1 tomcat, commons via security@] [CLOSED] 1 [hbase, via security@hadoop, private@hbase] 1 [struts, via security@struts]
For May 2013: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 7 Support question 5 Phishing/spam/attacks point to site "powered by Apache" 9 Vulnerability reports 2 [httpd, via security@] [1 CLOSED] 3 [struts, via security@struts] [1 CVE-2013-2115 CLOSED] 1 [xerces-j, via security@] [CLOSED] 1 [aoo, via officesecurity@lists.freedesktop.org] 1 [solr, via security@] [CLOSED] 1 [cloudstack, via security@cloudstack]
For Apr 2013: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 5 Support question 1 Security vulnerability question, but not a vulnerability report 5 Phishing/spam/attacks point to site "powered by Apache" 12 Vulnerability reports 1 [cloudstack, via private@cloudstack and security@] 2 [tomcat, via security@tomcat] [CLOSED] 1 [tomee, via security@] 1 [ofbiz, via security@] 1 [ACS, via security@ and private@cloudstack] 2 [httpd, via security@] [1 CLOSED] 1 [Santuario, via security@] 1 [struts, via security@struts] 1 [xerces-j2, via security@] 1 [tapestry, via security@]
For Mar 2013: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 5 Support question 4 Phishing/spam/attacks point to site "powered by Apache" 9 Vulnerability reports 1 [rave, via security@httpd] [CLOSED, CVE-2013-1814] 2 [ActiveMQ, via security@] [CLOSED] 1 [axis, via security@] 1 [tomcat, via security@] 1 [qpid, via security@ and private@qpid] 1 [httpd, via security@] 1 [subversion, via security@ and private@subversion] 1 [openoffice, via officesecurity@lists.freedesktop.org]
For Feb 2013: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 3 Support question 1 Security vulnerability question, but not a vulnerability report 6 Vulnerability reports 1 [httpd, via security@httpd] 1 [subversion, via security@] [CLOSING] 1 [geronimo, via security@geronimo] [CLOSING] 1 [httpd, via security@] [CLOSED, not security] 1 [infrastructure, via security@] [CLOSED, not security] 1 [tomcat, via security@]
For Jan 2013: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 3 Support question 2 User was hacked, but it wasn't ASF software at fault 7 Vulnerability reports 1 [directory, via security@apache.org] [CLOSED, not an issue] 1 [ofbiz, via security@apache.org] [CLOSED, dev version only] 1 [httpd, via security@apache.org] [CLOSED, not httpd] 1 [httpd, via security@apache.org] [STALLED, waiting for reporter] 1 [tomcat, via security@apache.org] [CLOSED, not an issue] 1 [tomcat, via security@tomcat.apache.org] [CLOSED, not an issue] 1 [maven, via security@apache.org] Since the new year we have started a weekly review of open issues to try to catch situations where the security team have not forwarded reports correctly or where the project has not responded to the reporter.
For Dec 2012: There continues to be a steady stream of reports of
various kinds arriving at security@. These continue to be dealt with
by the security team.
4 Support question
1 Security vulnerability question, but not a vulnerability report
2 Phishing/spam/attacks point to site "powered by Apache"
6 Vulnerability reports
2 [httpd, via security@apache.org]
1 [tomcat, via security@tomcat.apache.org]
1 [commons, via security@apache.org]
1 [openoffice, via security@openoffice.apache.org]
1 [not asf project, via security@apache.org]
For the calendar year 2012 as a whole we saw
27 Support questions (31 in 2011)
18 Security vulnerability question, but not a vulnerability report
(19 in 2011)
18 Phishing/spam/attacks point to site "powered by Apache" (15 in 2011)
0 User was hacked, but it wasn't ASF software at fault (0 in 2011)
78 Vulnerability reports (60 in 2011)
38 of which came in to security@apache.org, the others direct
to projects
25 projects got vulnerability reports, top 4 accounted for majority:
21% httpd
15% tomcat
11% openoffice
10% hadoop
Note that not all vulnerability reports are valid or lead to a
security fix being issued; we do not track this (resource intensive to
capture). However in 2012 we managed to annoy several reporters by
failing to respond to their reports in a reasonable time; this is
because our process [http://apache.org/security/committers.html]
relies on the project following up with the reporter and the security
team does not track if this has been done. Given the relatively low
number of real reports, for 2013 we'll try some approaches to better
close the loop.
For Nov 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 1 Phishing/spam/attacks point to site "powered by Apache" 3 Vulnerability reports 1 [cloudstack, via security@apache.org] 1 [trafficserver, via security@apache.org] 1 [commons, via security@apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For Oct 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 2 Support question 1 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 10 Vulnerability report 3 [httpd, 2 via security@httpd.apache.org, 1 via security@apache.org] 2 [tomcat, via security@tomcat.apache.org] 2 [hadoop, via security@hadoop.apache.org] 1 [struts, via security@struts.apache.org] 1 [cloudstack, via security@apache.org] CVE-2012-4501 1 [cordova, via security@apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For Sept 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 4 Support question 1 Security vulnerability question, but not a vulnerability report 4 Phishing/spam/attacks point to site "powered by Apache" 6 Vulnerability report 2 [tomcat, via security@tomcat.apache.org] 1 [solr, via security@apache.org] 3 [hadoop, via security@hadoop.apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For August 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 1 Support question 3 Security vulnerability question, but not a vulnerability report 9 Vulnerability reports of which: 1 [axis, via security@apache.org] 3 [httpd, via security@apache.org] 1 [james, via root@apache.org] 1 [ofbiz, via security@apache.org] 1 [tapestry, via security@apache.org] 1 [infrastructure, via security@apache.org] 1 [ooo, via ooo-security@incubator.apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For July 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 1 Support question 1 Phishing/spam/attacks point to site "powered by Apache" 5 Vulnerability reports of which: 2 [tomcat, via security@tomacat.apache.org] 1 [rave, via security@tomcat.apache.org] 1 [batik/fop, via security@apache.org] 1 [libcloud, via security@apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For June 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 2 Support question 2 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 8 Vulnerability reports of which: 1 [tomcat, via security@tomcat.apache.org] 1 [apacheds, via security@apache.org] (already resolved in latest) 1 [tomcat, via security@tomcat.apache.org] (not an issue) 1 [struts, via security@struts,apache.org] 1 [sling, via security@sling.apache.org] 3 [infrastructure, via security@apache.org] all 3 reported that apache.org/server-status was public (deliberate) Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For May 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 2 Support question 3 Phishing/spam/attacks point to site "powered by Apache" 5 Vulnerability reports, of which: 3 [aoo, via officesecurity@lists.freedesktop.org] 1 [httpd, via security@apache.org] 1 [hadoop, via security@hadoop.apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For April 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 1 Support question 2 Phishing/spam/attacks point to site "powered by Apache" 9 Vulnerability reports, of which: 2 [httpd, via security@apache.org] 2 [aoo, via officesecurity@lists.freedesktop.org] 2 [sling, via security@sling.apache.org] 1 [roller, via security@apache.org] 1 [tomcat, via security@apache.org] 1 [commons, via security@apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For March 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 2 Security vulnerability question, but not a vulnerability report 7 Vulnerability reports, of which: 1 [tomcat, via security@apache.org] 1 [ds, via security@apache.org] 2 [hadoop, via security@hadoop.apache.org] 1 [httpd, via security@apache.org] 1 [aoo, via officesecurity@lists.freedesktop.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For February 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 5 Support question 2 Security vulnerability question, but not a vulnerability report 6 Vulnerability reports, of which: 1 [xerces, via security@apache.org] 1 [httpd, via security@apache.org] 2 [stuts, via security@struts.apache.org] 1 [tomcat, via security@tomcat.apache.org] 1 [poi, via security@apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For January 2012: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 5 Support question 2 Security vulnerability question, but not a vulnerability report 3 Phishing/spam/attacks point to site "powered by Apache" 6 Vulnerability reports, of which: 2 [httpd, via security@apache.org] 1 [ws, via security@apache.org] 1 [apr, via security@apache.org] 1 [oo, via oo-security@incubator.apache.org] 1 [struts, via security@struts.apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For December 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 3 Support question 2 Phishing/spam/attacks point to site "powered by Apache" 6 Vulnerability reports, of which: 3 [httpd, via security@apache.org] 1 [httpd, via security@httpd.apache.org] 1 [oo, via securityteam@openoffice.org and officesecurity@lists.freedesktop.org] 1 [struts, via security@struts.apache.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For November 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 5 Support question 1 Security vulnerability question, but not a vulnerability report 8 Vulnerability reports, of which: 3 [httpd, via security@apache.org] 2 [tomcat, via security@tomcat.apache.org] 1 [tomcat, via security@apache.org] 1 [myfaces, via security@apache.org] 1 [oo, via securityteam@openoffice.org] The Security project performs really two duties, we receive incoming reports of security vulnerabilities in ASF software, and we help projects understand and deal with such reported security vulnerabilities. These reports come to security@apache.org usually from parties outside of the ASF. We keep track of metrics of how many issues get reported, in what way, along with the number of non-security reports just to give the board an idea of the magnitude of external reports and for trending. Once an issue is passed to the appropriate PMC we no longer track it, and therefore we can't give overall summaries of how quickly ASF respond to issues or severity trending or total vulnerability counts including those issues dealt with reported direct to a PMC or found by ASF members internal to a project. Because our interaction with each issue is minor, there isn't much additional information we can give in our monthly reports. Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
For October 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 7 Support question 2 Security vulnerability question, but not a vulnerability report 6 Vulnerability reports, of which: 1 [httpd, via security@httpd.apache.org] 1 [tomcat, via security@apache.org and geronimo via security@geronimo.apache.org] 1 [httpd, via security@apache.org] 2 [oo, via securityteam@openoffice.org] Reminder: vulnerability handling process explained at http://apache.org/security/committers.html
It was noted that Larry has an existing action item to discuss security protocol with this PMC. Larry indicated that he will follow up via e-mail.
For September 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 4 Support question 3 Security vulnerability question, but not a vulnerability report 6 Vulnerability reports, of which: 3 [httpd, via security@apache.org] 1 [commons, via security@apache.org] 2 [struts, via security@struts.apache.org]
For August 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. August saw the HTTPD team spend a lot of effort on CVE-2011-3192 (byterange remote DoS, apache-killer.pl). 2 Support question 2 Security vulnerability question, but not a vulnerability report 2 Phishing/spam/attacks point to site "powered by Apache" 6 Vulnerability reports, of which: 1 Vulnerability report [tomcat, via security@tomcat.apache.org] [CLOSED] 1 Vulnerability report [struts, via security@struts.apache.org] 4 Vulnerability report [httpd, via security@apache.org]
For July 2011: There continues to be a steady stream of reports of
various kinds arriving at security@. These continue to be dealt with
by the security team.
1 Support question
3 Phishing/spam/attacks point to site "powered by Apache"
7 Vulnerability reports of which:
1 Vulnerability report [couchdb, via security@couchdb.apache.org]
1 Vulnerability report [openoffice, via security@apache.org]
2 Vulnerability report [tomcat, via security@tomcat.apache.org]
2 Vulnerability report [httpd, via security@httpd.apache.org]
1 Vulnerability report [httpcomponents, via security@apache.org]
[CLOSED]
Note from last board minute question: not all things listed as
"Vulnerability report" turn out to be real vulnerabilities, and if
they are it's usual for the investigation and final fix to take some
time (especially if a low severity issue), so issues are likely to be
progress over the course of several status reports and not closed in
the same month.
For Jun 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 3 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 6 Vulnerability reports 1 [infrastructure, via security@apache.org] 1 [multiple projects, via security@apache.org] 3 [tomcat, via security@tomcat.apache.org] 1 [httpd, via security@apache.org]
For May 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 1 Support question 2 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 2 Vulnerability reports 1 [continuum, via security@apache.org] 1 [camel, via security@apache.org]
For April 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 1 Support question 4 Vulnerability reports 1 [infrastructure, via security@apache.org] 1 [xerces, via security@apache.org] 1 [httpd, via security@apache.org] CLOSED, not an issue 1 [struts, via security@struts.apache.org] CLOSED, no issues
For March 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 2 Support question 2 Security vulnerability question, but not a vulnerability report 4 Phishing/spam/attacks point to site "powered by Apache" 1 Vulnerability report [tomcat, via security@tomcat.apache.org]
Apologies for missing report for Feb board, was due to a failed commit. Here it is: For January 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 5 Support question 2 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 5 Vulnerability reports of which: 2 Vulnerability report [httpd, via security@apache.org] 1 Vulnerability report [mod_perl, via security@apache.org] 1 Vulnerability report [tomcat, via security@apache.org] 1 Vulnerability report [tomcat, via security@tomcat.apache.org] For February 2011: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 3 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 5 Vulnerability reports of which: 2 Vulnerability report [hadoop, via security@hadoop.apache.org] 1 Vulnerability report [httpd, via security@apache.org] 1 Vulnerability report [poi, via security@apache.org] 1 Vulnerability report [struts, via security@struts.apache.org]
No report was received.
For December 2010: There continues to be a steady stream of reports of various kinds arriving at security@. These continue to be dealt with by the security team. 7 Support question 1 Security vulnerability question, but not a vulnerability report 3 Vulnerability reports of which: 1 Vulnerability report [infrastructure, via security@] 1 Vulnerability report [roller, via security@] 1 Vulnerability report [httpd, via security@] Additionally, the Tomcat and HTTPD security pages were updated to expose the date each issue was reported to the ASF and the date each issue was public in addition to the date the issue was fixed. Vulnerability databases and researchers find this information useful. Examples: http://tomcat.apache.org/security-7.html http://httpd.apache.org/security/vulnerabilities_22.html
For November 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 2 Phishing/spam/attacks point to site "powered by Apache" 1 Security vulnerability question, but not a vulnerability report 1 User was hacked, but it wasn't ASF software at fault 5 Vulnerability reports of which: 1 Vulnerability report [tomcat, via security@apache.org] 2 Vulnerability report [tomcat, via security@tomcat] (one was CVE-2010-4172) 1 Vulnerability report [struts, via security@struts] 1 Vulnerability report [httpd, via security@apache]
For October 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 4 Support question 2 Security vulnerability question, but not a vulnerability report 6 Vulnerability reports of which 2 Vulnerability report [couchdb, via security@couchdb] 2 Vulnerability report [tomcat, via security@tomcat] 1 Vulnerability report [httpd] 1 Vulnerability report [shiro] CVE-2010-3863 [CLOSED]
For September 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 2 Support question 2 Security vulnerability question, but not a vulnerability report 3 Vulnerability reports of which 1 Vulnerability report [subversion, via security@apache.org] 1 Vulnerability report [libcloud, via security@apache.org] 1 Vulnerability report [Archiva, via security@apache.org]
For August 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 1 Support question 3 Security vulnerability question, but not a vulnerability report 4 Vulnerability reports of which 2 Vulnerability report [hadoop via security@hadoop.apache.org] 1 Vulnerability report [jackrabbit, via security@apache.org] (Was normal bug) 1 Vulnerability report [Traffic Master, via security@apache.org]
At DefCon a vulnerability in Apache Struts2 (CVE-2010-1870) received a
Pwnie award (http://pwnies.com/winners/) not just because the flaw was
remote and serious, but because of the mishandling by the ASF
("receiving no response from security@struts.apache.org"). This is
not completely correct: although the reporter did have to send his
report to security@struts twice, the second time it was acted on and a
conversation with the reporter took place. However the vulnerability
is still not fixed in any released update to Struts, and the Security
Team has found it hard to engage the Struts PMC about this and had to
contact individual Struts committers, also without much success.
Once the Struts team are more back from holidays we'll engage them in
a postmortem of this event to improve future vulnerability handling.
'Security Curmudgeon' mentioned that they have a number of issues they
are tracking in osvdb.org for various Apache projects which may have a
security consequence and should get CVE names. These issues are
mostly all fixed, but just with undisclosed security context. The
Security Team intend to work on this list, split it by project, and
contact each of the projects to clean this up. It will take some
time.
For July 2010:
1 Support question
2 Security vulnerability question, but not a vulnerability report
1 Phishing/spam/attacks point to site "powered by Apache"
3 Vulnerability reports of which
1 Vulnerability report [commons, via security@apache.org]
1 Vulnerability report [httpd, via security@apache.org]
1 Vulnerability report [struts, via security@stuts.apache.org]
Shane wonders how to make PMCs aware of how important security is.
Approved by general consent.
For June 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be triaged by the security team. 2 Support question 3 Security vulnerability question, but not a vulnerability report 6 Vulnerability reports of which: 2 Vulnerability report [httpd, via security@apache.org] 1 Vulnerability report [httpd, internal via security@httpd.apache.org] 1 Vulnerability report [axis, internal via security@apache.org] 1 Vulnerability report [tomcat, via security@tomcat.apache.org] 1 Vulnerability report [tomcat, via security@apache.org]
Missing data presumed to be a calendar skew (different starts of month); Jim to verify.
For May 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be triaged by the security team. 5 Support question 2 Security vulnerability question, but not a vulnerability report 7 Vulnerability reports of which: 3 Vulnerability report [httpd, via security@apache.org] 1 Vulnerability report [activemq, via security@apache.org] 1 Vulnerability report [wss4j, via security@apache.org] 1 Vulnerability report [tomcat, via security@tomcat.apache.org] 1 Vulnerability report [struts, via security@stuts.apache.org] (Note that the above counts vulnerability reports in the month they arrive, and not if they turn into verified issues later fixed later, hence it's just a useful volume counter and is not appropriate to include CVE names.)
For Apr 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 2 Support question 3 Security vulnerability question, but not a vulnerability report 2 Phishing/spam/attacks point to site "powered by Apache" 4 Vulnerability reports of which: 2 Vulnerability report [wicket, via security@apache.org] 2 Vulnerability report [tomcat, via security@tomcat.apache.org]
Jim indicated that it would be nice for reports to have CVEs, if applicable as well as a foundation-wide security page which lists all known/addressed security issues
For Mar 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 2 Support question 3 Security vulnerability question, but not a vulnerability report 3 Phishing/spam/attacks point to site "powered by Apache" 4 Vulnerability reports of which: 1 Vulnerability report [httpd, via security@httpd.apache.org] 1 Vulnerability report [httpd, via security@apache.org] 1 Vulnerability report [struts, via security@struts.apache.org] 1 Vulnerability report [tomcat, via security@tomcat.apache.org]
Apologies, last status report had metrics labelled Dec 2009 but actually was for Jan 2010. For Feb 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 4 Support question 1 Phishing/spam/attacks point to site "powered by Apache" 4 Vulnerability reports of which: 1 Vulnerability report [axis, via security@apache.org] 1 Vulnerability report [ofbiz, via security@apache.org] 2 Vulnerability report [httpd, via security@apache.org]
Shane to discuss the idea of a central public repository for all security fixes in order to improve security communications with the general public.
For January 2010: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 4 Security vulnerability question, but not a vulnerability report 5 Vulnerability reports of which: 4 Vulnerability report [httpd, via security@apache.org] 1 Vulnerability report [myfaces, via security@apache.org]
Discussion of the relative merits of meeting-to-meeting vs. calendar based reports. General consensus: as long as each project is consistent, the board is OK.
For December 2009: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org. These continue to
be dealt with by the security team.
2 Support question
2 Security vulnerability question, but not a vulnerability report
1 Phishing/spam/attacks point to site "powered by Apache"
6 Vulnerability report of which
1 [juddi, via security@apache.org]
2 [tomcat, via security@tomcat.apache.org]
3 [httpd, via security@apache.org]
For November 2009: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 5 Support question 2 Security vulnerability question, but not a vulnerability report 1 Vulnerability report of which 1 [myfaces, via security@apache.org] Also in November the TLS renegotiation flaw was made public which requires protocol updates to be corrected. While the upstream OpenSSL fix was to disable all renegotiation that can break sites needing to use client certificates, and so mod_ssl got an alternative mitigation fix (http://marc.info/?m=125755783724966 ). This will continue to be a painful issue for some months as changes to the protocol and OpenSSL implementation thereof may break some client/server interactions.
For October 2009: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org. These continue to
be dealt with by the security team.
2 Support question
4 Security vulnerability question, but not a vulnerability report
2 Vulnerability report of which
1 [infrastructure xss, via security@apache.org]
1 [httpd, via security@apache.org]
For September 2009: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 2 Support question 3 Security vulnerability question, but not a vulnerability report 5 Vulnerability reports, of which: 1 Vulnerability report [tomcat, via security@tomcat.apache.org] 1 Vulnerability report [tomcat, via security@apache.org] 1 Vulnerability report [portals, via security@apache.org] 2 Vulnerability report [httpd, via security@apache.org]
For August 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org. These continue to be
dealt with by the security team. This month saw additional load due
to questions about the "Slowloris" httpd exploit. Due to the
outstanding work of the infrastructure team and their rapid and full
disclosures we did not get questions about the infrastructure
compromise.
1 Support question
6 Security vulnerability question, but not a vulnerability report
3 Phishing/spam/attacks point to site "powered by Apache"
5 Vulnerability reports of which
1 Vulnerability report [apr, via security@apache.org] CVE-2009-2412
1 Vulnerability report [httpd, via security@apache.org]
(not an issue)
1 Vulnerability report [httpd, via security@httpd.apache.org]
1 Vulnerability report [tomcat, via security@tomcat.apache.org]
1 Vulnerability report [tomcat, via security@tomcat.apache.org]
(not an issue)
For July 2009: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with by the security team. 5 Support question 4 Security vulnerability question, but not a vulnerability report 3 Vulnerability reports of which 1 Vulnerability report [httpd, via security@apache.org] 2 Vulnerability report [infrastructure, via security@apache.org]
For June 2009: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. 2 Support question 7 Security vulnerability question, but not a vulnerability report 2 Phishing/spam/attacks point to site "powered by Apache" 1 Vulnerability report of which 1 Vulnerability report [httpd, via security@apache.org] This month saw the publication of the Apache httpd "Slowloris" DoS tool which caused a larger number of public questions to the list (those questions and discussions were correctly redirected to the public dev list). Updated Tomcat and APR-util was also released to address a number of older security issues.
For May 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org. These continue to be
dealt with promptly by the security team.
1 Support question
3 Vulnerability report
of which
1 Vulnerability report [tomcat, via security@apache.org]
1 Vulnerability report [httpd, via security@apache.org]
1 Vulnerability report [xerces, via security@apache.org]
For Apr 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org. These continue to be
dealt with promptly by the security team.
2 Support question
5 Vulnerability report
of which
1 Vulnerability report [tomcat, via security@apache.org]
2 Vulnerability report [tomcat, direct]
1 Vulnerability report [httpd, via security@apache.org]
1 Vulnerability report [Juddi, via security@apache.org]
Bill to get with Mark to ask what "direct" means.
For Mar 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org. These continue to be
dealt with promptly by the security team.
2 Support question
3 Phishing/spam/attacks point to site "powered by Apache"
6 Vulnerability report
of which
1 Vulnerability report [httpd, via security@apache.org]
2 Vulnerability report [tomcat, direct]
2 Vulnerability report [tomcat, via security@apache.org]
1 Vulnerability report [mod_perl, via security@apache.org]
For Feb 2009: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. 2 Support question 2 Security vulnerability question, but not a vulnerability report 3 Phishing/spam/attacks point to site "powered by Apache" 1 User was hacked, but it wasn't ASF software at fault 4 Vulnerability report
For Jan 2009: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. 2 Support question 1 Security vulnerability question, but not a vulnerability report 6 Phishing/spam/attacks point to site "powered by Apache" 1 User was hacked, but it wasn't ASF software at fault 8 Vulnerability reports Also in January the security team page was created to 1) tell users how to report issues in any ASF project along and 2) give guidance on how to deal with such reports. http://www.apache.org/security/
We agreed to collapse the Vulnerability reports in the public minutes going forward, omitting the names of the projects.
For December 2008: There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. 6 Support question 2 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 1 Vulnerability report [geronimo, direct to geronimo team] 2 Vulnerability report [tomcat, direct to tomcat team] 2 Vulnerability report [httpd, via security@apache.org] 1 Vulnerability report [roller, via security@apache.org] Partially to address the large number of support questions, in Jan 2009 Mark Thomas has been working on a ASF top level /security page which better explains the use of the security@apache.org address and will hopefully cut down on some of the out-of-scope emails.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Nov 2008: 4 Support question 2 Security vulnerability question, but not a vulnerability report 1 Vulnerability report [spamassassin]
No report received. Bill sent a reminder.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Oct 2008: 1 Support question 3 Security vulnerability question, but not a vulnerability report 2 Phishing/spam/attacks point to site "powered by Apache" 1 User was hacked, but it wasn't ASF software at fault 7 Vulnerability reports across four projects containing a mix of verified and unverified issues
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. Aug 2008 1 Support question 1 Phishing/spam/attacks point to site "powered by Apache" Sep 2008 Now also including other security@x.apache.org, note again "vulnerability report" includes things sent to us that turn out to not be vulnerabilities (it's an indication of response effort) 4 Support question 3 Security vulnerability question, but not a vulnerability report 1 User was hacked, but it wasn't ASF software at fault 3 Vulnerability report [tomcat] 3 Vulnerability report [httpd]
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. Statistics missing for this month and will be updated for next month including the breakout of issues per project as requested at the last board meeting.
There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team. For July 2008:
1 Support question
1 Security vulnerability question, but not a vulnerability report
1 Phishing/spam/attacks point to site "powered by Apache"
3 Vulnerability report
Note that the statistics given each month are for queries sent to
security@apache.org and does not include any that are sent to specific
project lists advertised separately such as
security@tomcat.apache.org. Most projects do not advertise separate
lists (or really need to given the low volume of issues affecting most
projects), and the only one which gets really any direct reports is
security@tomcat. We'd only advise a project advertising a separate
security response address if they get or expect a significant number
of issues.
For these board reports we do not plan on giving more detail about
specific issues unless they are significant in some way (critical
vulnerability or threat) as issues can take several months through the
lifecycle of dealing with the reporter during which time they are
usually non-public.
For interest now we have two years of data, here is the cummulative
total emails to security@apache.org for each type:
Jul-Dec06 Jan-Jun07 Jul-Dec07 Jan-Jun08 Total
Support 24 14 25 13 [76]
Query 11 10 4 11 [36]
PoweredBy 17 20 19 11 [67]
NotASFHack 7 5 0 3 [15]
Report 24 23 23 20 [90]
Total [83] [72] [71] [58] [284]
Support : Support question, not vulnerability related. We won't
answer these but will refer them to some public list.
Query : Security vulnerability question, but not a vulnerability
report. We answer some of these but in most cases refer to a public
list for discussion.
PoweredBy : Phishing/spam/attacks point to site "powered by Apache".
We try to help the users understand what happened, but many still
don't believe us, or don't understand.
NotASFHack : User was hacked, but after investigation it turns out it
wasn't ASF software at fault. Note that there isn't a "WasASFHack"
row because we've not yet heard from anyone whose machine was
compromised where it turned out to be via some flaw (fixed or unfixed)
in ASF software.
Report : What the list is designed for, a vulnerability report. We
include here all reports of possible vulnerabilities even if they turn
out not to be vulnerabilities (as they require effort to investigate
and/or respond). It's pretty constant though the years.
Jim request that the projects for which the vulnerability was reported be included in the report
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. Nice and quiet for June: 1 Support question 3 Vulnerability report
It was noted that not all security reports are httpd related. Henning indicated a desire that a breakdown by projects would be nice, but there was no direction to provide it.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. May 2008 was mostly quiet although the release of Apache HTTP Server 2.2.9 addressed two minor issues. 1 Support question 2 Security vulnerability question, but not a vulnerability report 1 User was hacked, but it wasn't ASF software at fault 4 Vulnerability report
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. Apr 2008 was mostly quiet: 1 Support question 6 Phishing/spam/attacks point to site "powered by Apache" 1 Vulnerability report
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Mar 2008: 7 Support question 2 Security vulnerability question, but not a vulnerability report 3 Phishing/spam/attacks point to site "powered by Apache" 6 Vulnerability report
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Feb 2008: 2 Support question 4 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 1 User was hacked, but it wasn't ASF software at fault 3 Vulnerability report Nothing much to note, although three requests this month to remove emails from mail-archives.apache.org as the addresses are unobsfucated and indexed by google.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Jan 2008: 1 Support question 3 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 1 User was hacked, but it wasn't ASF software at fault 3 Vulnerability report This month the press reported thousands of Apache HTTP on Linux servers being compromised and used to serve malicious files to visiting Windows clients. Although initial reports were sketchy, in the end the evidence pointed to the machines being compromised through leaked passwords and not through any ASF or third party software installed. The Security Team gave a short press statement which was used in some stories.
Approved by General Consent.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Dec 2007: 2 Support question 1 Security vulnerability question, but not a vulnerability report 3 Phishing/spam/attacks point to site "powered by Apache" 8 Vulnerability report For HTTPD Security, this month saw the completion of some vulnerabilities reported via SecurityReason, but all moderate or low severity, and finally fixing the security list moderator.
Approved by General Consent.
This month saw the completion of some vulnerabilities in the HTTPD project reported via JPCERT although the co-ordination process took a lot of effort considering the low severity of the issues. There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Nov 2007: 4 Support question 1 Security vulnerability question, but not a vulnerability report 4 Phishing/spam/attacks point to site "powered by Apache" 3 Vulnerability report
Approved by General Consent.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Oct 2007: 5 Support question 1 Security vulnerability question, but not a vulnerability report 5 Phishing/spam/attacks point to site "powered by Apache" 4 Vulnerability report
Approved by General Consent.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Sep 2007: 5 Support question 1 Security vulnerability question, but not a vulnerability report 4 Phishing/spam/attacks point to site "powered by Apache" 1 Vulnerability report
After some discussion, it was decided that the current set of security mailing lists and advertisements of such on the ASF web sites as they exist today is adequate and appropriate.
Approved by General Consent.
Security Team Project chair apologies for lack of August status report. There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For July/Aug 2007 we had 19 non-SPAM new issues: 9 Support question 3 Phishing/spam/attacks point to site "powered by Apache" 7 Vulnerability report A new set of HTTP Server releases this month fixed a number of moderate severity security issues, and included a work-around for a browser vulnerability, CVE-2007-4465. We also gained access to add comments directly into the National Vulnerability Database, useful for adding official statements to disputed issues.
Approved by General Consent.
Henri is to follow up requesting a report for next month
Approved by General Consent.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Jun 2007 we had 10 non-SPAM requests: 5 Security vulnerability question, but not a vulnerability report 5 Phishing/spam/attacks point to site "powered by Apache" 4 Vulnerability report
The board discussed tracking, and we agreed that the role of the committee is to provide advice and to ensure that every issue has an owner.
Approved by General Consent.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For May 2007 we had 10 non-SPAM requests: 3 Support question 2 User was hacked, but it wasn't ASF software at fault 2 Phishing/spam/attacks point to site "powered by Apache" 3 Vulnerability report One of the vulnerability reports was in fact first reported in May 2006, but was never responded to as the issues were not deemed important. Whilst we are very responsive for issues of critical severity and issues that are not vulnerability reports, issues with no or low security impact have sometimes get lost: we're looking at ways to prevent this.
Approved by General Consent.
In April, Mark Thomas continued his audit of security issues fixed in Tomcat but not documented with CVE names. Mark Thomas and Joe Orton were added to the Security Team Project. There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For April 2007 we had 13 non-SPAM requests: 46% ( 6) Actual report of a vulnerability (both valid and invalid) 38% ( 5) User asks support question 8% ( 1) Phishing/spam/attacks point to site "powered by Apache" 8% ( 1) Security vulnerability question, but not a vulnerability report
Approved by General Consent.
WHEREAS, the Apache Software Foundation (ASF) Board Commmittee,
known as the Apache Security Team expects to better serve
its purpose through the periodic update of its membership; and
WHEREAS, the Apache Security Team is a Board-appointed committee
whose membership must be approved by Board resolution.
NOW, THEREFORE, BE IT RESOLVED, that the following ASF
members be added as Apache Security Team members:
Joe Orton <jorton@apache.org>
Mark Thomas <markt@apache.org>
Special Order 6B, Update Apache Security Team Membership, was
approved by Unanimous Vote.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. We have a proposed resolution for this board meeting to expand the security team to include Joe Orton and Mark Thomas, both of whom have been doing significant security-related work.
Approved by General Consent.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. We had some interesting issues where the vulnerability was in the interaction between two projects. For Jan and Feb 2007 we had 28 non-SPAM requests: 36% (10) Actual report of a vulnerability (both valid and invalid) 21% ( 6) User asks support question 21% ( 6) Phishing/spam/attacks point to site "powered by Apache" 11% ( 3) Security vulnerability question, but not a vulnerability report 11% ( 3) User was hacked, but it wasn't ASF software at fault Most serious issue dealt with was a critical severity issue affecting recent versions of mod_jk where we worked successfully for the first time with researchers at TippingPoint.
Approved by General Consent.
[no report received]
Jim noted that he had seen an incoming report that was signed by a key that only BenL could decrypt. He was wondering if the security team had a key that all members could use and whether this one report was sent to BenL directly and not to the security team. Sander indicated that to his recollection, 3 people had the key: BenL, Marc and Lars. This is to be double checked.
Ken requested status on the CA issue and what the current plans/hopes for client certs were.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Oct-Dec 2006 we had 39 non-SPAM requests out of about 1270 messages that made it through the spamfilter. 31% (12) User asks support question 26% (10) Actual report of a vulnerability (both valid and invalid) 20% ( 8) Phishing/spam/attacks point to site "powered by Apache" 18% ( 7) Security vulnerability question, but not a vulnerability report 5% ( 2) User was hacked, but it wasn't ASF software at fault
Sam noted, with approval, that we are now receiving board reports from the team.
Approved by General Consent.
WHEREAS, the Apache Software Foundation (ASF) Board Commmittee,
known as the Apache Security Team expects to better serve
its purpose through the periodic update of its membership; and
WHEREAS, the Apache Security Team is a Board-appointed committee
whose membership must be approved by Board resolution.
NOW, THEREFORE, BE IT RESOLVED, that the following ASF
members be added as Apache Security Team members:
* Lars Eilebrecht (lars@apache.org)
* William A. Rowe (wrowe@apache.org)
* Sander Striker (striker@apache.org)
Special Order 6A, Updating the Apache Security Team Membership, was
approved by Unanimous Vote.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For July-Sep 2006 we had 44 non-SPAM requests (out of about 1670 messages that made it through the spamfilter) 32% (14) Actual report of a vulnerability (both valid and invalid) 27% (12) Phishing/spam/attacks point to site "powered by Apache" 27% (12) User asks support question 10% ( 4) Security vulnerability question, but not a vulnerability report 4% ( 2) User was hacked, but it wasn't ASF software at fault Still outstanding is some requests to fix the committee info and outreach to some projects to understand how to interface with us.
It was noted that the board should suggest to Mark to work on growing the committee.
Approved by General Consent
WHEREAS, the Board of Directors deems it to be in the best
interests of the Foundation and consistent with the
Foundation's purpose to establish the ASF Board Committee
charged with maintaining the security of software produced by
the various projects established under the ASF's umbrella,
but not for the security of the servers and other
infrastructure used by the ASF.
NOW, THEREFORE, BE IT RESOLVED, that the ASF Board Committee,
known as the "Apache Security Team", be and hereby is
reestablished pursuant to Bylaws of the Foundation; and be it
further
RESOLVED, that the Apache Security Team be and hereby is
responsible for organization and oversight of efforts to
maintain the security of ASF projects and shall act as a
single point of contact between the ASF and any entity
wishing to report or fix any security related issue in any
project.
RESOLVED, that each project shall appoint at least one
non-voting liaison to the committee, who shall have commit
privilege for the project's repository, and the technical
ability to release new versions, advisories or security
patches on behalf of the project.
RESOLVED, that the committee shall have the power to act on
behalf of any project in matters of security.
RESOLVED, that Mark Cox shall serve at the direction of
the Board of Directors as the chair of the Security Team and
have primary responsibility for managing the Security Team;
and be it further
RESOLVED, that the persons listed immediately below be and
hereby are appointed to serve as the members of the Apache
Security Team:
Ben Laurie
Mark Cox
There was some discussion over the small number of "initial"
members of the team. It was noted that it was expected that
new members would be added as soon as the team rebooted.
Special Order 6A, Reestablishing the Apache Security Team, was
approved by Unanimous Vote.
No report provided
Jim asked when was the last time we had a report and asked if it was time to propose a more active chair? Henri noted that the last report was February 2006 but the board noted that reports were few and sparse. Sander said that he had talked to Ben Laurie and that he has been in touch with Mark J. Cox as a possible candidate to take over.
There was no report. Sander was tasked with getting a security report.
There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team, most notably Mark Cox. The good news is that the majority of projects new appear to have security@ addresses so its possible to have the reports dealt with by the right people. The bad news is that we continue to not properly track issues, resulting in them getting dropped on the floor too often.
Approved by General Consent.
6. Special Orders
There was no report yet again. The board expressed concern that the Security Team consistantly neglects to file reports. Sander was to talk to Ben about this concern.
Action Item: Sander to track down report
No report. The board expressed serious concern that no report from the Security Team has been submitted for several times in a row. Greg asked for volunteers to contact Ben Laurie to determine why this is the case. Sander agreed to contact Ben and report back to the board.
No report submitted. It was noted that the Security Team had not submitted a report for almost a year. Greg indicated he would contact Ben regarding this.
6. Special Orders
No report was provided. It was agreed that Greg or Dirk would send a polite but firm reminder that these reports are required, and that the Security Team does not have a good track record of providing these reports.
No report submitted.
A report was expected, but not received
As discussed at the last board meeting, there's little to report on the security team front, except that we continue to deal with incoming reports by forwarding to the appropriate team, and we continue to not do a fantastic job with the less critical problems - critical ones are dealt with promptly, as always, but others are quite often dropped on the floor until outside forces refocus our attention. Although I don't see this as an enormous problem, it would be nice to find a way to fix it. Sadly, with volunteer effort, it is hard to do. I have idly wondered if it might be a suitable item for corporate sponsorship (i.e. providing the monitoring/tracking/ass-kicking function).
It was noted that new PMCs need to be aware of the Security Team and must ensure that they work with the team.
Approved via General Consent.
No report received or submitted.
The security team now has its own mailing list (security-team@apache.org), for discussion of team business and _not_ security issues. security@apache.org is still the primary contact for security issues, which are then dispatched to the security list for the appropriate (sub-)project. These are being set up on a piecemeal basis, as needed for new security issues, and are of the form <project>-security@apache.org, security@<project>.apache.org or <subproject>-security@<project>.apache.org. This diversity is regrettable, but needed in order to match the list to the correct audience, without breaking intuitiveness of naming. security@apache.org is subscribed to _all_ these mailing lists, so the core security team remain aware of developments. So far these lists only exist for httpd and Tomcat, but this is probably a good thing, so we can work out any wrinkles in the plan without having to modify dozens of lists to conform. There is also a CVS repository, security, which is used to (manually) track the status of reports. It is currently proposed to break this into subdirectories for each (sub-)project, with group access as appropriate to the subdirectory (which I support, but has not yet had time for discussion). I've also unilaterally adopted a numbering scheme for tracking reports, of the form AST-yyyymmdd(-nn), with no complaints yet heard. Although it is early days, it seems clear that this system has already resulted in two clear positive benefits: a) issues are not getting (permanently) dropped on the floor b) issues are being dispatched to the project teams and are no longer summarily dealt with by the security core team.
. By general consent, this report was recorded as entered and approved.
Ben reported that things are moving slightly slowly. Currently, the team is getting the liasons added from each ASF PMC, project and subproject.