Sep 30, 2020

Sonatype examines lodash’s open source vulnerabilities

Fintech
Sonatype
Lodash
Open source software
William Girling
2 min
In our next article on Sonatype’s Top 5 Open Source Vulnerabilities White Paper, we explore the vulnerabilities of lodash
In our next article on Sonatype’s Top 5 Open Source Vulnerabilities White Paper, we explore the vulnerabilities of lodash...

In our next article on Sonatype’s Top 5 Open Source Vulnerabilities White Paper, we explore the vulnerabilities of lodash

Ranked in fourth place on Sonatype’s list, lodash is a more modern release than Bouncycastle; it saw its initial release in April 2012 and finally a stable release in August 2020. 

A JavaScript library designed to help programmers write in a clearer, more manageable way, it has provided diverse utility functions (including ‘function’, ‘string’, ‘array’, ‘collection’ and more) across its release history.

“Lodash is a very popular Javascript library used by developers worldwide to simplify and consolidate their code,” said Sonatype in a recent blog post.

“Users of lodash are able to reap the benefits of more elegant code in less time by utilising the robust lodash library. However, what was created as a helpful feature for most, lends itself to an attack vector for bad actors if it isn’t managed properly.”

Attack mechanics and remediation procedure

According to Sonatype’s research, vulnerability CVE-2018-16487 stems from an apparently incomplete repair carried out on version 4.17.5 of lodash (CVE-2018-3721).

Lodash is particularly susceptible to ‘prototype pollution’: because Javascript is primarily a prototyping language, its functionality is geared towards the ability to quickly add new objects and properties.

Cyber attackers can exploit this function by inserting large quantities of incompatible objects in a short time frame, which can cause a DoS (denial of service) or RCE (remote code execution) response. 

To resolve the issue, Sonatype recommends users upgrade to version 4.17.11 of lodash, which contains a dedicated fix for the issue.

“If upgrading is not a viable option, some developers have chosen to protect against this vulnerability by replacing a property entirely (rather than recursively extending it) if the destination object doesn't have that property as its own,” it advises.

Furthermore, the company advises that fixing one of lodash’s properties wouldn’t necessarily guarantee that all others were equally protected. As such, users are advised to tread with caution to ensure the vulnerability is holistically resolved. 

Share article

Jun 17, 2021

Check Point: Securing the future of enterprise IT

HOOPP
Checkpoint
3 min
Erez Yarkoni, Global VP, explains how a three-way partnership between Check Point, HOOPP, and Microsoft is yielding optimum cloud security

Cybersecurity solutions provider Check Point was founded in 1993 with a mission to secure ‘everything,’ and that includes the cloud. Conscious that nothing remains static in the digital world, the company prides itself on an ability to integrate new technology with its solutions. Across almost three decades in operation, Check Point, with its team of over 3,500 experts, has become adept at protecting networks, endpoints, mobile, IoT, and cloud.

“The pandemic has been somewhat of an accelerator in the evolution of cyber risk,” explains Erez Yarkoni, Global VP for Cloud Business. “We had remote workers and cloud adoption a long time beforehand, but now the volume and surface area is far greater.” Formerly a CIO for several big-name telcos before joining Check Point in 2019, Yarkoni considers the cloud to be “part of [his] heritage” and one of modern IT’s most valuable tools.

Check Point has three important ‘product families’, Quantum, CloudGuard, and Harmony, with each one providing another layer of holistic IT protection:

  • Quantum: secures enterprise networks from sophisticated cyber attacks
  • CloudGuard: acts as a scalable and unified cloud-native security platform for the protection of any cloud
  • Harmony: protects remote users and devices from cyber threats that might compromise organisational data

 

However, more than just providing security, Yarkoni emphasises the need for software to be proactive and minimise the possibility of threats in the first instance. This is something Check Point assuredly delivers, “the industry recognises that preventing, not just detecting, is crucial. Check Point has one platform that gives customers the end-to-end cover they need; they don't have to go anywhere else. That level of threat prevention capability is core to our DNA and across all three product lines.”

In many ways, Check Point’s solutions’ capabilities have actually converged to meet the exact working requirements of contemporary enterprise IT. As more companies embark on their own digital transformation journeys in the wake of COVID-19, the inevitability of unforeseen threats increases, which also makes forming security-based partnerships essential. Healthcare of Ontario Pension Plan (HOOPP) sought out Check Point for this very reason when it was in the process of selecting Microsoft Azure as its cloud provider. “Let's be clear: Azure is a secure cloud, but when you operate in a cloud you need several layers of security and governance to prevent mistakes from becoming risks,” Yarkoni clarifies. 

The partnership is a distinctly three-way split, with each bringing its own core expertise and competencies. More than that, Check Point, HOOPP and Microsoft are all invested in deepening their understanding of each other at an engineering and developmental level. “Both of our organisations (Check Point and Microsoft) are customer-obsessed: we look at the problem from the eyes of the customer and ask, ‘Are we creating value?’” That kind of focus is proving to be invaluable in the digital era, when the challenges and threats of tomorrow remain unpredictable. In this climate, only the best protected will survive and Check Point is standing by, ready to help. 

“HOOPP is an amazing organisation,” concludes Yarkoni. “For us to be successful with a customer and be selected as a partner is actually a badge of honor. It says, ‘We passed a very intense and in-depth inspection by very smart people,’ and for me that’s the best thing about working with organisations like HOOPP.”

Share article