10 Linux/Open Source Vulnerabilities of All Time

  • 10 Linux/Open Source Vulnerabilities of All Time

    10 Linux/Open Source Vulnerabilities of All Time
    All of the issues were patched in short order by the upstream projects, yet not every user patched quickly, leaving some exposed to risk.
  • Heartbleed

    Heartbleed
    No conversation about open source vulnerabilities can be had without mentioning Heartbleed. Disclosed in 2014, the Heartbleed vulnerability was found in the open source OpenSSL cryptographic library and enabled attackers to exploit encrypted communications. http://heartbleed.com/
  • ShellShock

    ShellShock
    Also disclosed in 2014, the Shellshock vulnerability was particularly impactful, exposing a risk in the BASH (Bourne Again Shell) that could have enabled an attacker to inject and execute arbitrary commands on a vulnerable server. http://www.gnu.org/software/bash/
  • CVE-2014-7188 The Flaw that Rebooted the Public Cloud

    CVE-2014-7188 The Flaw that Rebooted the Public Cloud
    While some vulnerabilities are publicly reported before most users get the chance to patch, that wasn't the case with CVE-2014-7188, which was a critical flaw in the Xen hypervisor. Xen at the time of the flaw's disclosure (2014), was the primary virtualization tool for multiple public cloud providers, including Amazon. Thanks to a well executed private disclosure process, the cloud providers were all able to patch and reboot their clouds, before users were put at risk.
  • Apache Struts CVE-2017-5638 - The Flaw that Breached Equifax

    Apache Struts CVE-2017-5638 - The Flaw that Breached Equifax
    In 2017, the open source Apache Struts project reported CVE-2017-5638 which is a remote code execution (RCE) flaw. Failure to patch the flaw was cited by Equifax as the root cause that enabled attackers (identified by the U.S Department of Justice in 2020 as being from China) to exploit Equifax, exposing hundreds of millions of Americans to risk.
  • Dirty Cow

    Dirty Cow
    Dirty COW (Copy On Write) is a Linux privilege escalation vulnerability formally disclosed in 2016 as CVE-2016-5195. According to the bug disclosure, "an unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." https://dirtycow.ninja/
  • GHOST

    GHOST
    GHOST (gethostbyname) CVE-2015-0235 is a vulnerability in the open-source Linux GNU C Library (glibc). While it could have potentially enabled an attacker to execute arbitrary code, the actual impact of the flaw was mitigated by other controls in Linux.
  • CARPE DIEM

    CARPE DIEM
    One of the most widely deployed open source technologies is the Apache HTTPD web server. In 2019, CVE-2019-0211 was reported and given the name CARPE DIEM. CARPE: stands for CVE-2019-0211 Apache Root Privilege Escalation; and DIEM is because the exploit triggers once a day.
  • Samba CVE-2017-7494

    Samba CVE-2017-7494
    The CVE-2017-7494 flaw in the widely deploy Samba file sharing server was disclosed around the same time as the EternalBlue flaw in Windows that led to the WannaCry ransomware attack. Though different then EternalBlue, the Samba flaw similarly is a remote code execution issued that could have enabled an attacker to execute a worm or ransomware attack.
  • Spectre/ Meltdown

    Spectre/ Meltdown
    Neither Spectre or Meltdown are 'pure' open source vulnerabilities though they have had widespread impact on open source system. Spectre and Meltdown are CPU flaw first disclosed in 2017 that could be exploited by code running in an operating system. Linux vendors and kernel developers have been scrambling every since to patch and fix the seemingly endless stream of variants.
  • SUDO CVE-2019-14287

    SUDO CVE-2019-14287
    Sudo (short for Super User Do) is a primary tool in Linux giving users super user permissions to execute administrative actions. With CVE-2019-14287, Sudo restrictions could potentially be bypassed giving an attacker full access to a vulnerable system.
  • 1 of

10 Linux/Open Source Vulnerabilities of All Time

  • 1 of
  • 10 Linux/Open Source Vulnerabilities of All Time

    10 Linux/Open Source Vulnerabilities of All Time

    All of the issues were patched in short order by the upstream projects, yet not every user patched quickly, leaving some exposed to risk.
  • Heartbleed

    Heartbleed

    No conversation about open source vulnerabilities can be had without mentioning Heartbleed. Disclosed in 2014, the Heartbleed vulnerability was found in the open source OpenSSL cryptographic library and enabled attackers to exploit encrypted communications. http://heartbleed.com/
  • ShellShock

    ShellShock

    Also disclosed in 2014, the Shellshock vulnerability was particularly impactful, exposing a risk in the BASH (Bourne Again Shell) that could have enabled an attacker to inject and execute arbitrary commands on a vulnerable server. http://www.gnu.org/software/bash/
  • CVE-2014-7188 The Flaw that Rebooted the Public Cloud

    CVE-2014-7188 The Flaw that Rebooted the Public Cloud

    While some vulnerabilities are publicly reported before most users get the chance to patch, that wasn't the case with CVE-2014-7188, which was a critical flaw in the Xen hypervisor. Xen at the time of the flaw's disclosure (2014), was the primary virtualization tool for multiple public cloud providers, including Amazon. Thanks to a well executed private disclosure process, the cloud providers were all able to patch and reboot their clouds, before users were put at risk.
  • Apache Struts CVE-2017-5638 - The Flaw that Breached Equifax

    Apache Struts CVE-2017-5638 - The Flaw that Breached Equifax

    In 2017, the open source Apache Struts project reported CVE-2017-5638 which is a remote code execution (RCE) flaw. Failure to patch the flaw was cited by Equifax as the root cause that enabled attackers (identified by the U.S Department of Justice in 2020 as being from China) to exploit Equifax, exposing hundreds of millions of Americans to risk.
  • Dirty Cow

    Dirty Cow

    Dirty COW (Copy On Write) is a Linux privilege escalation vulnerability formally disclosed in 2016 as CVE-2016-5195. According to the bug disclosure, "an unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." https://dirtycow.ninja/
  • GHOST

    GHOST

    GHOST (gethostbyname) CVE-2015-0235 is a vulnerability in the open-source Linux GNU C Library (glibc). While it could have potentially enabled an attacker to execute arbitrary code, the actual impact of the flaw was mitigated by other controls in Linux.
  • CARPE DIEM

    CARPE DIEM

    One of the most widely deployed open source technologies is the Apache HTTPD web server. In 2019, CVE-2019-0211 was reported and given the name CARPE DIEM. CARPE: stands for CVE-2019-0211 Apache Root Privilege Escalation; and DIEM is because the exploit triggers once a day.
  • Samba CVE-2017-7494

    Samba CVE-2017-7494

    The CVE-2017-7494 flaw in the widely deploy Samba file sharing server was disclosed around the same time as the EternalBlue flaw in Windows that led to the WannaCry ransomware attack. Though different then EternalBlue, the Samba flaw similarly is a remote code execution issued that could have enabled an attacker to execute a worm or ransomware attack.
  • Spectre/ Meltdown

    Spectre/ Meltdown

    Neither Spectre or Meltdown are 'pure' open source vulnerabilities though they have had widespread impact on open source system. Spectre and Meltdown are CPU flaw first disclosed in 2017 that could be exploited by code running in an operating system. Linux vendors and kernel developers have been scrambling every since to patch and fix the seemingly endless stream of variants.
  • SUDO CVE-2019-14287

    SUDO CVE-2019-14287

    Sudo (short for Super User Do) is a primary tool in Linux giving users super user permissions to execute administrative actions. With CVE-2019-14287, Sudo restrictions could potentially be bypassed giving an attacker full access to a vulnerable system.

New vulnerabilities are reported all the time in open source code and applications and that's all good – it’s a healthy part of the ecosystem. By finding vulnerabilities, they can be fixed, rather than just staying dormant in the shadows for attackers to exploit. Over the past decade, there have been a few high profile open source vulnerabilities, that made some substantial impact. All of the issues were patched in short order by the upstream projects, but not every user patched quickly, leaving some exposed to risk.