On Friday, researchers discovered critical vulnerabilities in several popular open projects, each of which could cause a supply chain attack through the continuous integration (CI) process.
In a blog post, Cycode researchers reported finding the vulnerabilities in misconfigured GitHub Actions workflows, which may impact millions of potential victims. According to the researchers, the workflows lacked proper input sanitization, which can allow malicious actors to inject code into builds via issues and comments, as well as gain access to privileged tokens.
Of the dozens of vulnerable repositories they found, the most popular were: Liquibase, Dynamo BIM, FaunaDB, Wire, Astro, Kogito, and Ombi.
While Log4j was the vulnerability that grabbed everyone’s attention and made national news for the past few months, more than 4,000 high-severity vulnerabilities were announced in 2021, said Ratan Tipirneni, President and CEO. Tigera direction. Tipirneni said Cycode’s recent discovery of critical vulnerabilities in several popular open source projects further demonstrates that as the pace of innovation combined with the use of open source libraries increases, we will continue to see an increase in vulnerabilities and threats.
“This is a worrying sign for highly constrained security and DevOps teams,” Tipirneni said. “It’s nearly impossible for a DevOps or security team to track attackers. To close the security gap, organizations will need to apply zero trust and defense-in-depth principles to the entire CI/CD pipeline to actively mitigate risk through a combination of preventative measures and active defense.
Casey Bisson, product and developer relations manager at BluBracket, added that we know that open source has become an essential component in virtually all modern applications and that targeting these upstream projects is a way to quickly compromise the supply chain. software supply. However, Bisson said, too often people view the code supply chain exclusively in terms of dependency risks, with too little attention to securing the pipeline from developer to deployment in their own environments.
“Our research shows that most Git and CI/CD access and configuration vulnerabilities are accidental, but companies lack the tools to monitor them or guide them on best practices,” Bisson said. “Companies in all industries are seeing a growing need to implement early and automate code analysis and access throughout the software development workflow to identify and remediate risks at source and before they occur. ‘they don’t propagate through the software supply chain.’