{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"近日,Apache軟件基金會"},{"type":"link","attrs":{"href":"https:\/\/blogs.apache.org\/foundation\/entry\/apache-software-foundation-security-report1","title":"","type":null},"content":[{"type":"text","text":"發佈"}]},{"type":"text","text":"了“2020年Apache Software Foundation 安全報告”。在2020年累計收到的18000封電子郵件中,Apache軟件基金會確認946個非垃圾郵件對話。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"具體說來,257個對話(佔27%)是因爲人們對Apache許可證感到困惑。因爲許多項目(不僅僅ASF旗下的那些)都使用Apache許可證,當看到Apache許可證,並且不瞭解它的具體情況時,很多人會一頭霧水。例如,最常見的一個例子是智能手機設置菜單中顯示的許可證,這通常是由於系統包含了谷歌在Apache許可證下發布的軟件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於這類郵件,Apache軟件基金會稱,“雖然這類郵件數量是2019年的兩倍,但是我們不再回復這些電子郵件。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/bf\/bf69e13c6c9cbfc5f798b6be12f878ca.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其次,有220個對話(佔23%)主要關於人們詢問非安全性(通常是支持類型)的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此外,還有376份報告涉及101個頂級項目中的新漏洞。其中,有341份報告讓Apache軟件基金會安全委員會分配了151個CVE名稱。據悉,Apache安全委員會負責CVE名稱分配,並且是Mitre候選命名機構(CNA)。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"值得注意的事件"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這份報告提到了2020年一些值得討論的事件,包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2月:Tomcat "},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-1938","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-1938"}]},{"type":"text","text":"中的一個問題被賦予Ghostcat,引起媒體關注,並在Tomcat發佈建議前由一家第三方協調中心披露(儘管該問題已在新版本的Tomcat中得到解決)。儘管它被利用的後果很嚴重,但僅影響將不受保護的AJP連接器暴露給不受信任網絡的Tomcat安裝(即使沒有這個問題,這也不是一件好事)。這限制了受影響的安裝數量。此問題公開了多個概念驗證漏洞,包括一個Metasploit漏洞。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5月:CISA發佈了"},{"type":"link","attrs":{"href":"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-133a","title":"","type":null},"content":[{"type":"text","text":"十大被經常利用的漏洞列表"}]},{"type":"text","text":",包括"},{"type":"link","attrs":{"href":"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5638","title":"","type":null},"content":[{"type":"text","text":"CVE-2017-5638"}]},{"type":"text","text":",這是Apache Struts 2中的遠程命令執行(RCE)漏洞,於2017年披露並修復。據悉,這個問題"},{"type":"link","attrs":{"href":"https:\/\/blog.talosintelligence.com\/2017\/03\/apache-0-day-exploited.html","title":"","type":null},"content":[{"type":"text","text":"曾在實踐中被利用"}]},{"type":"text","text":",但第一次漏洞利用事件是在修復建議和更新發布後才被發現的。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7月:Apache Guacamole 1.1.0和更早版本容易受到RDP,"},{"type":"link","attrs":{"href":"https:\/\/lists.apache.org\/thread.html\/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3Cannounce.apache.org%3E","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-9497"}]},{"type":"text","text":"和"},{"type":"link","attrs":{"href":"https:\/\/lists.apache.org\/thread.html\/r26fb170edebff842c74aacdb1333c1338f0e19e5ec7854d72e4680fc@%3Cannounce.apache.org%3E","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-9498"}]},{"type":"text","text":"中一些問題的影響。如果用戶連接到惡意或受損的RDP服務器,則可能導致內存泄露和可能的遠程代碼執行。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"8月:Apache Struts("},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-0230","title":"","type":null},"content":[{"type":"text","text":"CVE-2019-0230"}]},{"type":"text","text":")中的一個漏洞可能導致任意代碼執行。爲了利用這個漏洞,攻擊者需要將惡意的對象圖導航語言(OGNL)表達式注入到OGNL表達式內使用的屬性中。儘管Struts針對潛在的表達式注入有緩解措施,但2.5.22之前的版本還是暴露了一個攻擊向量,這個漏洞已在"},{"type":"link","attrs":{"href":"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/S2-059","title":"","type":null},"content":[{"type":"text","text":"此問題的更新"}]},{"type":"text","text":"中修復。存在針對此問題的metasploit漏洞利用事件。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"11月:以前,每個ASF項目都負責編寫自己的CVE條目並將其提交給Mitre。這會導致CVE數據庫中的許多Apache問題更新遭遇拖延,因爲由舊有格式導致問題的條目經常被拒絕。我們發佈了一個內部工具,爲處理安全問題的項目提供了一種編輯、驗證並將其條目提交給Mitre的方法。Apache安全委員會的目標是在發佈問題的一天之內更新CVE數據庫。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"12月:CVE項目發佈了一個新的自動化API,ASF成爲第一個使用它來獲得實時CVE名稱的組織。現在,安全團隊不再按事先要求的方式保存名稱,而是按需分配名稱,這個服務則將處理髮送給PMC的電子郵件,以及流程中其他之前由人工處理的部分。Apache安全委員會預計2021年將出現更多的自動化技術,能進一步簡化項目的CVE流程。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Apache OFBiz(CSRF,"},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-0235","title":"","type":null},"content":[{"type":"text","text":"CVE-2019-0235"}]},{"type":"text","text":")、Apache OpenMeetings(DoS,"},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-13951","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-13951"}]},{"type":"text","text":")、Apache Flink(任意讀\/寫RCE"},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-17518","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-17518"}]},{"type":"text","text":","},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-17519","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-17519"}]},{"type":"text","text":")的2020年問題中也發佈了一些概念證明或Metasploit漏洞。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據悉,這份報告來自Apache Software Foundation(ASF)安全委員會。它負責監督並協調總計"},{"type":"text","marks":[{"type":"strong"}],"text":"340多個"},{"type":"text","text":"Apache項目中的漏洞處理事宜。該委員會成立於2002年,由志願者組成,有一套"},{"type":"link","attrs":{"href":"https:\/\/s.apache.org\/cveprocess","title":"","type":null},"content":[{"type":"text","text":"統一的流程"}]},{"type":"text","text":"來處理問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"任何人只要在Apache項目中發現安全問題,他都可以將其報告給[email protected],這裏會記錄問題並傳遞給相關的"},{"type":"link","attrs":{"href":"https:\/\/apache.org\/security\/projects.html","title":"","type":null},"content":[{"type":"text","text":"專職安全團隊"}]},{"type":"text","text":"或私有項目管理委員會(PMC)處理。安全委員會負責監視在所有地址中報告的所有問題,並在整個漏洞生命週期中持續跟蹤問題。安全委員會負責確保問題被正確處理,並將針對項目尚未解決的問題和職責做出主動提醒。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"整個流程大致分爲四個階段:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"分類"},{"type":"text","text":":安全委員會的目標是在三個工作日內處理髮送到[email protected]地址的郵件。他們不會對此快速做出統計或報告,因爲要先評估每個問題的嚴重性,並適當地分配有限的資源。這個地址由來自不同項目PMC的極少數志願者管理。安全團隊將報告轉發給PMC後,他們將回復給報告者。因此,如果你已向安全委員會報告了問題,但一週後仍未收到任何回覆,可以繼續發送後續電子郵件。有時,報告者會發送附有大型PDF文件甚至是漏洞視頻的報告,但附件並沒有成功發送過來,因此,請確保所有後續操作都是簡單的純文本電子郵件。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"調查"},{"type":"text","text":":將報告發送到項目管理委員會的私有名單後,分類和調查的過程會隨時間而變化,這具體取決於項目、資源的可用性以及要評估問題的數量。當安全委員會將報告發送到這個私有列表時,它並不會發給每一位項目提交者,因此每個項目中能調查和響應的人員數量要少得多。作爲一般準則,安全委員會會試着確保項目在報告後的90天內分類各種問題。ASF安全小組會追查超過90天還沒有分類的問題。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"修復"},{"type":"text","text":":對安全問題進行分類和接受後,解決問題的時間表取決於項目本身的時間表。嚴重性較低的問題通常會等到計劃中的未來版本里解決。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"公告"},{"type":"text","text":":安全委員會的流程允許項目在漏洞公佈與修復版本推送之間有幾天的延遲,以讓各個鏡像有時間做準備。所有漏洞都通過[email protected]列表發佈。安全委員會現在的目標是在公告發布後的一天內,將它們顯示在公共Mitre列表中。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Apache軟件基金會安全副總裁MarkCox寫道,“Apache軟件基金會項目具有高度的多樣性和獨立性。它們有着不同的語言、社區、管理和安全模型。但是,各個項目的一個共同點是處理報告的安全問題的一致流程。ASF安全委員會與項目團隊、社區和報告者密切合作,以確保快速、正確地處理問題。這種負責任的監督是Apache Way的原則,有助於確保Apache軟件穩定且可信任。”"}]}]}
Apache軟件基金會2020安全報告:六件值得被關注的事
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"近日,Apache軟件基金會"},{"type":"link","attrs":{"href":"https:\/\/blogs.apache.org\/foundation\/entry\/apache-software-foundation-security-report1","title":"","type":null},"content":[{"type":"text","text":"發佈"}]},{"type":"text","text":"了“2020年Apache Software Foundation 安全報告”。在2020年累計收到的18000封電子郵件中,Apache軟件基金會確認946個非垃圾郵件對話。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"具體說來,257個對話(佔27%)是因爲人們對Apache許可證感到困惑。因爲許多項目(不僅僅ASF旗下的那些)都使用Apache許可證,當看到Apache許可證,並且不瞭解它的具體情況時,很多人會一頭霧水。例如,最常見的一個例子是智能手機設置菜單中顯示的許可證,這通常是由於系統包含了谷歌在Apache許可證下發布的軟件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於這類郵件,Apache軟件基金會稱,“雖然這類郵件數量是2019年的兩倍,但是我們不再回復這些電子郵件。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/bf\/bf69e13c6c9cbfc5f798b6be12f878ca.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其次,有220個對話(佔23%)主要關於人們詢問非安全性(通常是支持類型)的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此外,還有376份報告涉及101個頂級項目中的新漏洞。其中,有341份報告讓Apache軟件基金會安全委員會分配了151個CVE名稱。據悉,Apache安全委員會負責CVE名稱分配,並且是Mitre候選命名機構(CNA)。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"值得注意的事件"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這份報告提到了2020年一些值得討論的事件,包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2月:Tomcat "},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-1938","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-1938"}]},{"type":"text","text":"中的一個問題被賦予Ghostcat,引起媒體關注,並在Tomcat發佈建議前由一家第三方協調中心披露(儘管該問題已在新版本的Tomcat中得到解決)。儘管它被利用的後果很嚴重,但僅影響將不受保護的AJP連接器暴露給不受信任網絡的Tomcat安裝(即使沒有這個問題,這也不是一件好事)。這限制了受影響的安裝數量。此問題公開了多個概念驗證漏洞,包括一個Metasploit漏洞。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5月:CISA發佈了"},{"type":"link","attrs":{"href":"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-133a","title":"","type":null},"content":[{"type":"text","text":"十大被經常利用的漏洞列表"}]},{"type":"text","text":",包括"},{"type":"link","attrs":{"href":"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5638","title":"","type":null},"content":[{"type":"text","text":"CVE-2017-5638"}]},{"type":"text","text":",這是Apache Struts 2中的遠程命令執行(RCE)漏洞,於2017年披露並修復。據悉,這個問題"},{"type":"link","attrs":{"href":"https:\/\/blog.talosintelligence.com\/2017\/03\/apache-0-day-exploited.html","title":"","type":null},"content":[{"type":"text","text":"曾在實踐中被利用"}]},{"type":"text","text":",但第一次漏洞利用事件是在修復建議和更新發布後才被發現的。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7月:Apache Guacamole 1.1.0和更早版本容易受到RDP,"},{"type":"link","attrs":{"href":"https:\/\/lists.apache.org\/thread.html\/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3Cannounce.apache.org%3E","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-9497"}]},{"type":"text","text":"和"},{"type":"link","attrs":{"href":"https:\/\/lists.apache.org\/thread.html\/r26fb170edebff842c74aacdb1333c1338f0e19e5ec7854d72e4680fc@%3Cannounce.apache.org%3E","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-9498"}]},{"type":"text","text":"中一些問題的影響。如果用戶連接到惡意或受損的RDP服務器,則可能導致內存泄露和可能的遠程代碼執行。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"8月:Apache Struts("},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-0230","title":"","type":null},"content":[{"type":"text","text":"CVE-2019-0230"}]},{"type":"text","text":")中的一個漏洞可能導致任意代碼執行。爲了利用這個漏洞,攻擊者需要將惡意的對象圖導航語言(OGNL)表達式注入到OGNL表達式內使用的屬性中。儘管Struts針對潛在的表達式注入有緩解措施,但2.5.22之前的版本還是暴露了一個攻擊向量,這個漏洞已在"},{"type":"link","attrs":{"href":"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/S2-059","title":"","type":null},"content":[{"type":"text","text":"此問題的更新"}]},{"type":"text","text":"中修復。存在針對此問題的metasploit漏洞利用事件。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"11月:以前,每個ASF項目都負責編寫自己的CVE條目並將其提交給Mitre。這會導致CVE數據庫中的許多Apache問題更新遭遇拖延,因爲由舊有格式導致問題的條目經常被拒絕。我們發佈了一個內部工具,爲處理安全問題的項目提供了一種編輯、驗證並將其條目提交給Mitre的方法。Apache安全委員會的目標是在發佈問題的一天之內更新CVE數據庫。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"12月:CVE項目發佈了一個新的自動化API,ASF成爲第一個使用它來獲得實時CVE名稱的組織。現在,安全團隊不再按事先要求的方式保存名稱,而是按需分配名稱,這個服務則將處理髮送給PMC的電子郵件,以及流程中其他之前由人工處理的部分。Apache安全委員會預計2021年將出現更多的自動化技術,能進一步簡化項目的CVE流程。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Apache OFBiz(CSRF,"},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-0235","title":"","type":null},"content":[{"type":"text","text":"CVE-2019-0235"}]},{"type":"text","text":")、Apache OpenMeetings(DoS,"},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-13951","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-13951"}]},{"type":"text","text":")、Apache Flink(任意讀\/寫RCE"},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-17518","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-17518"}]},{"type":"text","text":","},{"type":"link","attrs":{"href":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-17519","title":"","type":null},"content":[{"type":"text","text":"CVE-2020-17519"}]},{"type":"text","text":")的2020年問題中也發佈了一些概念證明或Metasploit漏洞。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據悉,這份報告來自Apache Software Foundation(ASF)安全委員會。它負責監督並協調總計"},{"type":"text","marks":[{"type":"strong"}],"text":"340多個"},{"type":"text","text":"Apache項目中的漏洞處理事宜。該委員會成立於2002年,由志願者組成,有一套"},{"type":"link","attrs":{"href":"https:\/\/s.apache.org\/cveprocess","title":"","type":null},"content":[{"type":"text","text":"統一的流程"}]},{"type":"text","text":"來處理問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"任何人只要在Apache項目中發現安全問題,他都可以將其報告給[email protected],這裏會記錄問題並傳遞給相關的"},{"type":"link","attrs":{"href":"https:\/\/apache.org\/security\/projects.html","title":"","type":null},"content":[{"type":"text","text":"專職安全團隊"}]},{"type":"text","text":"或私有項目管理委員會(PMC)處理。安全委員會負責監視在所有地址中報告的所有問題,並在整個漏洞生命週期中持續跟蹤問題。安全委員會負責確保問題被正確處理,並將針對項目尚未解決的問題和職責做出主動提醒。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"整個流程大致分爲四個階段:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"分類"},{"type":"text","text":":安全委員會的目標是在三個工作日內處理髮送到[email protected]地址的郵件。他們不會對此快速做出統計或報告,因爲要先評估每個問題的嚴重性,並適當地分配有限的資源。這個地址由來自不同項目PMC的極少數志願者管理。安全團隊將報告轉發給PMC後,他們將回復給報告者。因此,如果你已向安全委員會報告了問題,但一週後仍未收到任何回覆,可以繼續發送後續電子郵件。有時,報告者會發送附有大型PDF文件甚至是漏洞視頻的報告,但附件並沒有成功發送過來,因此,請確保所有後續操作都是簡單的純文本電子郵件。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"調查"},{"type":"text","text":":將報告發送到項目管理委員會的私有名單後,分類和調查的過程會隨時間而變化,這具體取決於項目、資源的可用性以及要評估問題的數量。當安全委員會將報告發送到這個私有列表時,它並不會發給每一位項目提交者,因此每個項目中能調查和響應的人員數量要少得多。作爲一般準則,安全委員會會試着確保項目在報告後的90天內分類各種問題。ASF安全小組會追查超過90天還沒有分類的問題。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"修復"},{"type":"text","text":":對安全問題進行分類和接受後,解決問題的時間表取決於項目本身的時間表。嚴重性較低的問題通常會等到計劃中的未來版本里解決。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"公告"},{"type":"text","text":":安全委員會的流程允許項目在漏洞公佈與修復版本推送之間有幾天的延遲,以讓各個鏡像有時間做準備。所有漏洞都通過[email protected]列表發佈。安全委員會現在的目標是在公告發布後的一天內,將它們顯示在公共Mitre列表中。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Apache軟件基金會安全副總裁MarkCox寫道,“Apache軟件基金會項目具有高度的多樣性和獨立性。它們有着不同的語言、社區、管理和安全模型。但是,各個項目的一個共同點是處理報告的安全問題的一致流程。ASF安全委員會與項目團隊、社區和報告者密切合作,以確保快速、正確地處理問題。這種負責任的監督是Apache Way的原則,有助於確保Apache軟件穩定且可信任。”"}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章