Top 5 New Open Source Vulnerabilities in January 2019

January kicks us off with a number of high profile projects that should ring some bells, reporting vulnerabilities which are worthy of our attention and remediations.

WhiteSource’s Knowledge Group has been hard at work, pouring through our lists of newly collected vulnerabilities to bring our readers the info they need to keep their open source usage secure.

The team reviewed all the new issues that have been added to WhiteSource’s database, which are aggregated continuously from multiple sources including the National Vulnerability Database (NVD), and additional publicly available, peer-reviewed security advisories and issue trackers.

Hopefully, your development and security teams have been keeping their products up to date with the latest and most secure versions, but it never hurts to check our list for any security alerts that might have slipped through the cracks over the past month.

#1 Docker Engine


Vulnerability Score: Medium — 6.5

Affected versions: Versions before 18.09

Containers have been one of the hottest topics in development in the past year, with no sign of slowing down as we roll through 2019. However, along with the excitement over how they allow for smoother flow from development through deployment, we are starting to understand that they have some of their own risks which need to be accounted for along the way.

At the tail end of 2018, a significant vulnerability in Google’s Kubernetes open source controller for container orchestration was found, catching plenty of folks off guard as Kubernetes has become a core infrastructure tool throughout the industry.

Now another primary provider of container services has been found with an uncontrolled resource consumption vulnerability, while not a serious one in particular, it’s a reminder that the tools we depend on can be vulnerable to attack. For years (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: