April 15, 2024

Trellix automates patching for 62,000 vulnerable open source projects

5 min read



Trellix and GitHub have collectively fixed a full of 61,895 open source initiatives that were found to be prone to a 15-year-aged path traversal vulnerability in Python’s tarfile module.

The firm’s Superior Investigation Center workforce highlighted the prevalence of CVE-2007-4559 in September 2022, soon after they determined that 15 yrs soon after it was initially learned, it was in use in an believed 350,000 open up source jobs, and an unknowable amount of closed source kinds.

The staff stumbled throughout the vulnerability although investigating an unrelated concern and at first considered it was a brand-new zero-day, but immediately after they started out tugging on the thread, they discovered they were in point looking at a veteran bug in the “extract” and “extractall” functions in Python’s tarfile module.

When exploited, CVE-2022-4559 lets a user-assisted distant attacker overwrite arbitrary data files by using a specific sequence in filenames in a TAR archive, accomplishing arbitrary code execution or handle of the focus on machine.

Back in October 2007, the bug was considered to be of lower importance, and it stays widespread in various frameworks, such as some designed by Amazon Internet Products and services, Google, Intel and Netflix, and several other apps utilised for equipment learning, automation and Docker containerisation.

Doug McKee, Trellix principal engineer and director of vulnerability analysis, stated that due to the fact then, the group had been operating on a 4-month-prolonged work to automate the patching of vulnerable open resource tasks, having inspiration from a discuss at DEFCON 2022 by researcher Jonathan Leitschuh. “Through GitHub, developers and local community members are able to thrust code to projects or repositories on the system by using a course of action called pull request,” he reported. “Once a request is opened, the job maintainers critique the instructed code, request collaboration or clarification if wanted, and settle for the new code. In our situation, the code pushed by using pull request shipped special patches to each and every of the susceptible GitHub projects. 

“As we outlined a course of action to automate patching … our Advanced Exploration Heart vulnerability group was capable to automate most of the procedures, besides for high quality control. We broke the procedure into two actions, the patching stage and the pull ask for period, each of which were automatic and simply essential to be executed.”

Just after receiving a checklist of repositories and documents that contains the search phrase “import tarfile” from GitHub, the Trellix staff compiled a special listing of repositories to scan, and cloned and scanned every single a person working with an application vulnerability checking device referred to as Creosote that it created for the intent. If Creosote identified a susceptible repository, the team patched the file and produced a area patch diff made up of the patched file, so that they could be when compared, the original file, and repository metadata.

This performed, the crew reviewed the checklist of community path diffs, created a fork of the vulnerable repository, cloned it, then replaced the authentic file with the patched file if they found it had not changed in the meantime – if it had, they took pains not to overwrite any other adjustments.

The improvements ended up then fully commited to the vulnerable repository, and a pull ask for made from the forked repository back to the initial to clarify to the repository house owners what was happening. It is now down to the repository owners them selves to accept the patch, added McKee.

“The susceptible tarfile module is included in the base Python package deal and is a readily obtainable resolution for a frequent trouble – it is also, without having a immediate fix from Python, firmly embedded in the source chain of lots of assignments,” he mentioned.

“It’s permanence alongside with the actuality that approximately all the finding out material for how to thoroughly use the tarfile module teaches builders how to use it improperly results in a wide assault floor. By means of these endeavours to automate and patch vulnerable tasks, the computer software source chain attack floor is narrowed.

“This operate to slender the attack surface area simply cannot be finished devoid of collaboration throughout our industry,” additional McKee. “As an sector we can not afford to pay for to ignore the require to look for out and eradicate foundational vulnerabilities. Mass patching of open source projects can be carried out, even if it requires a whole lot of time, and it can supply positive aspects to organisations of all dimensions, throughout sectors and locations.”

He urged any and all organisations making use of code libraries and frameworks in their apps to set in put correct checks and evaluation measures to assure appropriate visibility into their software package offer chains, and emphasised the significance of leaning on developers to get educated on all layers of the tech stack.


Source hyperlink In the age of digital transformation, automated maintenance of open source projects is essential for efficient software development. Trellix, a next-generation software development platform, is now providing automated patching for 62,000 vulnerable open source projects.

Trellix’s automated patching solution uses real-time analytics to identify and track vulnerabilities within open source projects, providing the necessary updates to projects faster and more reliably than ever before. Additionally, its automated patching process streamlines the development process, reducing time to market.

The ability to automate patching of open source projects helps reduce the risk of security breaches, as the most up-to-date projects will always be available to developers. Automated patching also reduces the burden of maintenance for developers by automatically making changes to projects whenever a new vulnerability is discovered.

Trellix’s platform continues to be at the forefront of open source security management, enabling developers around the world to more quickly produce efficient and secure software. With its automated patching solution, Trellix is helping developers maintain projects with greater reliability, while also reducing time to market.

For developers, Trellix’s automated patching solution provides an important addition to the software development toolkit, enabling the rapid and secure production of software. With its support of 62,000 vulnerable open source projects, Trellix is helping to make software development more efficient, secure, and reliable.