Top 10 2013-A9-Using Components with Known Vulnerabilities

Overview

This is the archived OWASP Foundation Wiki page on the topic of 'Using Components with Known Vulnerabilities'. It discusses the threat agents, attack vectors, security weaknesses, technical and business impacts associated with vulnerabilities in application components. It also provides information on how to determine if you are vulnerable and how to prevent such vulnerabilities. The page includes example attack scenarios and references for further reading.

Description

This page provides an overview of the OWASP Top 10 2013 vulnerability 'Using Components with Known Vulnerabilities'. It explains how vulnerable components can be identified and exploited, the impact of these vulnerabilities on an application, and the importance of keeping components up to date. The page also highlights the risks associated with component vulnerabilities and provides guidance on preventing them.

How to Prevent ?

To prevent 'Using Components with Known Vulnerabilities', it is recommended to: 1. Identify all components and their versions used in your application. 2. Monitor the security of these components in public databases and keep them up to date. 3. Establish security policies for component use, such as requiring certain software development practices and passing security tests. 4. Consider adding security wrappers around components to disable unused functionality and secure weak or vulnerable aspects.

Example Attack Scenarios:

• Apache CXF Authentication Bypass:  By failing to provide an identity token, attackers could invoke any web service with full permission. This vulnerability was found in Apache CXF, a services framework.

• Spring Remote Code Execution:  Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server. This vulnerability was found in the Spring framework.