Imperva Report: Third of Vulnerabilities Lack Fix

An analysis of the vulnerabilities that were disclosed in 2019 conducted by Imperva, a provider of firewall management software, finds there was a 17.6% increase compared to 2018, with 22% of those vulnerabilities representing either high (18%) or severe threats (13%).

More troubling still, the analysis also reveals that a public exploit for almost half of vulnerabilities (47%) already exists and, worst of all, more than a third (40.2%) of vulnerabilities don’t have an available solution such as a software upgrade, workaround or software patch to remediate the issue.

Overall, the dominant category this year for vulnerabilities were those that included some form of injection, accounting for 5,730 (28.1%) of the total vulnerabilities seen in 2019. That represents a 21% increase year over year.

Surprisingly, most of those injection vulnerabilities involved remote command execution (RCE), with 3,869 vulnerabilities (19%) discovered, compared to 1,610 vulnerabilities (8%) for SQL injection. There were also 75 vulnerabilities involving local or remote file inclusion and 607 vulnerabilities relating to unsanitized file upload.

In terms of database vulnerabilities, the report finds there were 130 (59%) involving the open source MySQL database, a 23.8% increase year over year. That compares to SQLite and Oracle with 17 and 16 vulnerabilities, respectively. The most common database vulnerability was denial-of-service (DoS), with 138 vulnerabilities, and broken access control, with 45 vulnerabilities recorded.

2019 also saw 2,652 vulnerabilities in server technologies implemented in PHP, an increase of 12.7% year over year. Java saw only 229 new vulnerabilities, compared to 256 in 2018.

Another troubling trend surfaced by the report is an 80.6% increase in vulnerabilities involving third-party components year over year. Out of 2,081 of these types of vulnerabilities, 1,341 (64%) were in WordPress plugins and 354 (17%) in Jenkins plugins, while 88 new vulnerabilities were in NodeJS packages. WordPress also registered the highest number of vulnerabilities (1,574) last year, a 143% increase, followed by Magento, which saw a 77% increase, with 223 vulnerabilities. A total of 97.2% of WordPress vulnerabilities were related to plugins.

In terms of mixed cybersecurity success, the number of new application programming interface (API) vulnerabilities in 2019 (485) increased by 18.9%. That rate of growth, however, is down from more than 80% in the previous year. Dima Bekerman, security research manager for Imperva, said that while it is apparent developers are making progress in terms of securing APIs, organizations should be wary of becoming complacent. As organizations continue to embrace microservices-based architectures for building and deploying applications, the number of APIs that need to be secured will increase. As such, organizations should make certain cybersecurity is deeply ingrained within their DevOps processes, advised Bekerman.

On a more positive note, however, two major vulnerability categories fell out of the top 10 list: DoS, which had 4,130, a decrease of 19.2%, and cross-site-request-forgery (CSRF), which had 5,114 vulnerabilities, a decrease of 23.8%.

The Imperva report also finds that despite an increase in the number of internet of things (IoT) devices and vendors, there was a 9% decrease in vulnerabilities from the previous year. The most common IoT vulnerability involved a potential DoS attack, with 418 vulnerabilities, followed by RCE, with 398 vulnerabilities.

Clearly, there’s still a lot of work to be done when it comes to discovering and remediating vulnerabilities. The challenge is trying to get to them all before they are discovered by cybercriminals who make a living find new ways to exploit them.

Michael Vizard

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 746 posts and counting.See all posts by mike-vizard