Google leads ‘guerilla patching’ of big vulnerability in open source projects
By John E Dunn, Sophos
March 7, 2017
Google has revealed its emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.
Referred to as “Mad Gadget” by Google (aka the Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420), the flaw was first highlighted by FoxGlove Security in November of that year, months after the first proof-of-concept code garnered almost zero attention.
That was despite it eventually affecting software shipped by Oracle, Cisco, Red Hat, VMware, IBM, Intel, Adobe, HP, OpenNMS , Jenkins and SolarWinds.
It was serious enough to figure as part of the 2016 ransom attacks on Baltimore’s Union Memorial Hospital in March 2016 and the infamous San Francisco Municipal Transportation Agency (MUNI) attack in November.
We should, then, view FoxGlove’s sarcasm in its 2015 alert as prescient: “No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires.”