Adam Bannister January 14, 2022 at 15:01 UTC

Updated: January 14, 2022 15:05 UTC

The nonprofit shares metrics in its latest annual security review of more than 350 projects

The Apache Software Foundation (ASF) has warned that its efforts to respond quickly to security vulnerabilities are being undermined by organizations running end-of-life versions of Apache software.

The warning came amid ASF’s latest annual review of security in the Apache ecosystem, which found the nonprofit received 441 reports of potential new vulnerabilities in 2021 across 99 Apache projects. high level.

This figure represents a 17% increase in submissions reaching triage compared to 2020 (376 reports) and 38% compared to 2019 (320).

Yard firewall

The reports ultimately accounted for 183 CVEs – up 21% from 2020 (151) and 50% from 2019 (122) – which included the explosive Log4j vulnerability in December and a number of other flaws affecting multiple projects.

Fifty of the 441 reports, sent by both project managers and external security researchers, were still being triaged at the end of the year, meaning they had not yet received a CVE or rejected as invalid. That number was higher than expected due to an increase in reports in late December, the ASF said.

RELATED “Being serious about safety is a must” – ASF custodians on fulfilling its founding mission

“While the ASF often gets updates quickly for critical issues, reports show that users are being exploited by old ASF software issues that haven’t been updated in years, and vendors (and therefore their users) are still using end-of-the-line versions that have known unpatched vulnerabilities,” said Mark Cox, vice president of security for ASF.

“This will continue to be a big issue and we are committed to tackling this industry-wide issue to determine what we can do to help.”

White House Summit

That supply chain weaknesses lie downstream and upstream was one of the points raised by the ASF in a position paper released ahead of its participation yesterday (January 13) in a virtual summit hosted by the House White and focused on open source security.

The ASF said it also received 135 emails reporting “flaws” on Apache’s website in 2021, nearly all of which were “false positives.”

The ASF report highlighted other notable Apache vulnerabilities and developments in 2021, unsurprisingly, this included the notorious Log4j bug.

RECOMMENDED Security Done Right: Celebrating Infosec Victories in 2021

He also reported a cross-site scripting (XSS) flaw in Apache Velocity that was prematurely disclosed in January after a delay of several months between the development of a patch and the release of the corresponding patch.

ASF welcomed research into new HTTP/2 proprietary threats affecting Apache HTTP Server (CVE-2021-33193) published in August, and the addition of Apache Airflow, Apache HTTP Server, and Apache Commons to HackerOne’s Internet Bug Bounty program in October. .

Despite the resource constraints inherent in a volunteer organization, Mark Cox said the ASF continues to build “a consistent process for how reported security issues are handled” across more than 350 diverse Apache projects and independent, and reserves the right to archive projects that fail.

DON’T FORGET TO READ Bug Alert launched to provide an early warning system for super critical vulnerabilities