A06 Vulnerable and Outdated Components - OWASP Top 10:2021
Learn about the cybersecurity issue of Vulnerable and Outdated Components in the OWASP Top 10:2021. Understand the risks, impact, and proactive prevention measures.
Overview
A06:2021 – Vulnerable and Outdated Components
Description
Vulnerable and Outdated Components is a known issue in the cybersecurity landscape. It refers to the usage of components (both client-side and server-side) that are vulnerable, unsupported, or out of date. This includes the operating system, web/application server, database management system, applications, APIs, runtime environments, and libraries. Any organization using such components is at risk of being targeted by cyberattacks. This article provides an overview of the issue, its impact, and preventive measures to mitigate the risk.
How to Prevent ?
To prevent Vulnerable and Outdated Components, organizations should implement a patch management process. This includes removing unused dependencies, continuously inventorying component versions, scanning for vulnerabilities regularly, and subscribing to security bulletins for relevant components. It is also important to obtain components from official sources over secure links and monitor for unmaintained components. Organizations should prioritize patching and configuration changes, ensuring a continuous plan to apply updates throughout the application's lifetime.
Example Attack Scenarios:
Scenario #1: Component Flaws and Remote Code Execution: Flaws in vulnerable components can lead to serious impact, such as remote code execution. An example is the Struts 2 remote code execution vulnerability (CVE-2017-5638) that enabled arbitrary code execution on servers. This vulnerability has been linked to significant data breaches. Additionally, unpatched IoT devices can pose a risk, as seen with the Heartbleed vulnerability. Attackers can exploit these flaws using automated tools, emphasizing the importance of patching and monitoring.