How can I determine whether an Open Source vulnerability can be exploited?

Upgrading OS libraries in my legacy application is costly for historical reasons. Suppose my app uses an Open Source library A which requires OS library B which uses library C. I find that C has a vulnerability.

  1. If running 100% regression on my app finds that the vulnerable part of C is not called, can I assume that this particular vulnerability is a false positive FOR MY APP?

  2. JaCoCo reports can tell me if any specific parts of my application and all of its component OS libraries were called. Given that this might let me avoid a library upgrade, is this a practical method of ranking vulnerabilities? Is there a better way to determine whether a vulnerability is accessible?

  3. What is a good way to determine what parts of a given OS library contain the vulnerability?

Thanks.

First of all, if you want to be safe: update the library. Often you can just apply the security patch without updating the entire system. This would be the only final fix.

If you don’t want to do that, I would look at the vulnerability report to gain a bit more insight. What are the attack vectors? Some part of your application must be (indirectly) calling the library, otherwise the library wouldn’t be required at all. Also consider that the vulnerability may open you up to attacks that bypass your application itself (so while your application may never call the vulnerable code, an attacker could still trigger the vulnerability).

Also consider options such as firewalling the entire machine shut, maybe?

However, all of the time investigating on how to mitigate the chanes of being affected as much as possible can also be invested in just patching up the library (or perhaps finding a compatible replacement).

1 Like