In this article, we will explore some technologies that are commonly used today despite being known to be vulnerable. We’ll discuss why these technologies are considered vulnerable, and if available, which of their alternatives can best be used as secure replacements.
It is estimated that today, over 80% of the software in use has some implementation of open-source or third-party software. Hackers find open-source components attractive for attacks due to the security loopholes that many of them have. In fact, OWASP classified the use of components with known vulnerabilities as one of their Top 10 vulnerabilities in 2017.
What Are the Most Common Vulnerable Protocols and Components?
Due to the large number of vulnerable components and protocols being used today, we have divided this section to two parts to discuss each category separately. We not only will look at the affected versions but also talk about the available patches, secure and stable versions and alternatives.
Commonly-Known Vulnerable Components
Components discussed here will largely be open-source and are being used to either manage or develop other software products. Most organizations tend to shy away from open-source software due to the impression that paid products offer much more security as compared to open-source alternatives. We’ll reserve this argument for another article. For now, let’s look at some components.
- JBoss Application Server: JBoss is one of the many Java Web Containers available today. It is both open-source and cross-platform. In 2017, it was discovered that a vulnerability could lead to attackers achieving remote code execution and result in attackers gaining full control of the server. This vulnerability affected JBoss Application Server 4.0 and prior.In order for you to protect yourself from this vulnerability, it is recommended that you upgrade to JBoss EAP 7. JBoss Application Server is not (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/BFAawWQe9Rg/