Researchers identified serious flaws in multiple famous open source projects on Friday, each of which can be used to launch a supply chain attack via the continuous integration (CI) process.
Researchers from Cycode claimed in a blog post that they discovered vulnerabilities in misconfigured GitHub Actions processes, which might affect millions of people. The workflows, according to the researchers, lacked sufficient input sanitization, allowing malicious actors to insert code into builds via problems and comments, as well as get access to privileged tokens.
Liquibase, Dynamo BIM, FaunaDB, Wire, Astro, Kogito, and Ombi were the most popular of the dozens of insecure repositories they discovered.
According to Ratan Tipirneni, president and CEO of Tigera, “over 4,000 high-severity vulnerabilities were announced in 2021.” While Log4j was the vulnerability that caught everyone’s attention and made national news over the past few months, “over 4,000 high-severity vulnerabilities were announced in 2021.” According to Tipirneni, the recent Cycode discovery of major vulnerabilities in multiple popular open-source projects illustrates that as the speed of innovation and the use of open-source libraries accelerates, vulnerabilities and threats will continue to rise.
We know that open source has become a vital component in practically all modern apps, and that targeting these upstream projects is a rapid method to damage the software supply chain, according to Casey Bisson, head of product and developer relations at BluBracket. However, according to Bisson, too many individuals look at the code supply chain just in terms of dependence risks, with too little focus on safeguarding the pipeline from developer to deployment in their own settings.
“Our research shows most Git and CI/CD access and configuration vulnerabilities are accidental, but companies lack tools to monitor or guide them on best practices,” Bisson said. “Companies in every industry are seeing a growing need to implement early and automate scanning of code and access throughout the software development workflow to identify and remediate risks at the source and before they propagate down the software supply chain.”