Trellix automates tackling open source vulnerabilities at scale
26-Jan-23
Trellix used an automated technique that significantly sped up the process to patch over 61,000 open source projects against a serious Python problem. The tarfile module in Python was found to contain a 15-year-old vulnerability by the Trellix Advanced Research Center team last year. The vulnerability, identified as CVE-2007-4559, is characterized as a path traversal problem that might allow “user-assisted remote attackers” to overwrite any files through “a.. (dot dot) sequence in filenames in a TAR package.” While the security weakness was identified back in 2017, according to Trellix researcher Douglas McKee, it was “kept unattended” or unsolved. The vulnerability has thus been unintentionally added to about 350,000 open source projects and is regarded as “prevalent” in numerous closed source projects.
