The Apache Software Foundation has warned that its efforts to rapid response to security vulnerabilities are being undermined by organizations running EOL versions of Apache software.
The warning came as part of the ASF’s latest annual review of security across the Apache ecosystem, which revealed that it had received 441 reports of potential new vulnerabilities in 2021 across 99 top-level projects. A 17% rise in submissions reaching triage compared to 2020 (376 reports) and 38% on 2019 (320).
The reports ultimately accounted for 183 CVEs up 21% on 2020 (151) and 50% on 2019 (122) that included the bombshell Log4j vulnerability. 12% of 441 reports, were still under triage meaning they had yet to be assigned a CVE or rejected as invalid. This number was higher than expected due to a spike in reports at the tail end of December.
Though it’s fastly for newly found vulnerabilities, the exploits persisted in the legacy software still remains a headache. This will continue to be a big problem and we are committed to engaging on this industry-wide problem to figure out what to do to help. The ASF said it also received 135 emails reporting ‘flaws’ in the Apache website in 2021 were false positives. Notorious Log4j bug.
One cross-site scripting (XSS) flaw in Apache Velocity that was disclosed prematurely in January after a months-long delay between a fix being developed and the corresponding patch being released.
The ASF welcomed research into novel HTTP/2-exclusive threats impacting the Apache HTTP Server (CVE-2021-33193) published in August, and the addition of Apache Airflow, Apache HTTP Server, and Apache Commons to HackerOne’s Internet Bug Bounty program in October.