Apache Software Foundation Security Report: 2019
By Mark Cox, Vice President Security, The Apache Software Foundation
February 3, 2020
Anyone finding security issues in any Apache project can report them to firstname.lastname@example.org where they are recorded and passed on to the relevant dedicated security teams or project management committees (PMC) to handle. The security committee see all the issues reported across all the addresses and keep track of the issues throughout the vulnerability lifecycle.
The security committee is responsible for ensuring that issues are dealt with properly and will actively remind projects of their outstanding issues and responsibilities. As a board committee, we have the ability to take action including blocking their future releases or, worst case, archiving a project if such projects are unresponsive to handling their security issues. This, along with the Apache Software License, are key parts of the ASFís general oversight function around official releases, allowing the ASF to protect individual developers and giving users confidence to deploy and rely on ASF software.
The oversight into all security reports, along with tools we have developed, gives us the ability to easily create statistics on the issues.
Statistics for 2019
In 2019 our security addresses received in total over 18,000 emails. After spam filtering and thread grouping this comes to 620 non-spam threads. Unfortunately many security reports do look like spam and so the security team are careful to review all messages to ensure real reports are not missed for long.
Diagram 1: Breakdown of ASF security email threads for calendar year 2019*
Diagram 1 gives the breakdown of those
620 threads. 138 threads (22%) were people confused by the Apache
License. As many projects use the Apache License, not just those
under the ASF umbrella, users can get confused when they see the
Apache License and they don't understand what it is. This is most
common for example on mobile phones where the licenses are displayed
in the settings menu, usually due to the inclusion of software by
Google released under the Apache License.
The next 162 of the 620 (26%) are email threads that are not spam but are also not reports of new vulnerabilities. These are generally people asking support-type questions or how old vulnerabilities were dealt with.
That left 320 reports of new vulnerabilities in 2019, which spanned across 84 of the top level projects. These 320 reports are a mix of both external reporters and internal; for example where a project has found an issue themselves and followed the ASF process to assign it a CVE name and address it. Note that we donít track the reporter affiliation, and ASF reporters often use non-ASF email addresses for reporting, so we canít give a break down of internal vs external reports .
The next step is that the appropriate project triages the report to see if it's really an issue or not. At this stage invalid reports, or things that are not actually vulnerabilities at all, get rejected back to the reporter. Of the remaining issues that are accepted they are are assigned appropriate CVE names and eventually fixes are released.
As of January 1st 2020, 19 of those 320 reports were still under triage (i.e. the project had not yet determined if the report is accepted or rejected). The process of triage and investigation varies in time depending on the project, availability of resources, and number of issues to be assessed. As a general guideline we try to ensure projects have triaged issues within 90 days of the report. The timeline for the fixing of issues depends on the schedules of the projects themselves and issues of lower severity are most often held to future pre-planned releases.
The remaining closed 301 reports led to us assigning 122 CVE names. Some vulnerability reports may include multiple issues, some reports are across multiple projects, and some reports are duplicates where the same issue is found by different reporters, so there isn't an exact one-to-one mapping of accepted reports to CVE names. The Apache Security committee handle CVE name allocation and are a Mitre Candidate Naming Authority (CNA), so all requests for CVE names in any ASF project are routed through us, even if the reporter is unaware and contacts Mitre directly or goes public with an issue before contacting us.
During 2019 there were a few events worth discussion; either because they were severe and high risk, they had readily available exploits, or otherwise due to media attention. These included: