Modes Of Introduction
Architecture and Design : The product architect or designer might choose a component that is already known to contain vulnerabilities or has a high likelihood of containing vulnerabilities in the future.
Implementation : For reasons of compatibility or stability, developers might choose a third-party component, such as a library, that is already known to contain vulnerabilities.
Patching and Maintenance : Since all products contain vulnerabilities, over time, a third-party component will be discovered to have a vulnerability.
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)
Operating Systems
Class: Not OS-Specific (Undetermined)
Architectures
Class: Not Architecture-Specific (Undetermined)
Technologies
Class: Not Technology-Specific (Undetermined)
Common Consequences
Scope |
Impact |
Likelihood |
Confidentiality Integrity Availability | Varies by Context
Note: The consequences vary widely, depending on the vulnerabilities that exist in the component; how those vulnerabilities can be "reached" by adversaries, as the exploitation paths and attack surface will vary depending on how the component is used; and the criticality of the privilege levels and features for which the product relies on the component. | |
Potential Mitigations
Phases : Requirements // Policy
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Phases : Requirements
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Phases : Architecture and Design // Implementation // Integration // Manufacturing
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Phases : Operation // Patching and Maintenance
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Phases : Operation // Patching and Maintenance
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
Detection Methods
Automated Analysis
For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.
Effectiveness : High
Vulnerability Mapping Notes
Rationale : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comments : Examine children of this entry to see if there is a better fit
References
REF-1313
The Unfortunate Reality of Insecure Libraries
Jeff Williams, Arshan Dabirsiaghi.
https://owasp.org/www-project-dependency-check/ REF-1212
A06:2021 - Vulnerable and Outdated Components
https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ REF-1247
Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)
NTIA Multistakeholder Process on Software Component Transparency Framing Working Group.
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf REF-1311
The Cases for Using the SBOMs We Build
Amélie Koran, Wendy Nather, Stewart Scott, Sara Ann Brackett.
https://www.atlanticcouncil.org/wp-content/uploads/2022/11/AC_SBOM_IB_v2-002.pdf REF-1312
OWASP Dependency-Check
OWASP.
https://owasp.org/www-project-dependency-check/ REF-1314
ICS Alert (ICS-ALERT-20-063-01): SweynTooth Vulnerabilities
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-20-063-01 REF-1315
Unleashing Mayhem over Bluetooth Low Energy
Matheus E. Garbelini, Sudipta Chattopadhyay, Chundong Wang, Singapore University of Technology and Design.
https://asset-group.github.io/disclosures/sweyntooth/ REF-1316
Alert (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
CISA.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a REF-1317
What Log4Shell taught us about application security, and how to respond now
SC Media.
https://www.scmagazine.com/resource/application-security/what-log4shell-taught-us-about-appsec-and-how-to-respond REF-1320
A Framework for a Medical Device Security Program at a Healthcare Delivery Organization
Ali Youssef.
https://array.aami.org/content/news/framework-medical-device-security-program-healthcare-delivery-organization REF-1321
Shared Responsibility Model Explained
Cloud Security Alliance.
https://cloudsecurityalliance.org/blog/2020/08/26/shared-responsibility-model-explained/ REF-1322
Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
Melissa Chase, Steven Christey Coley, Julie Connolly, Ronnie Daldos, Margie Zuk.
https://www.mitre.org/news-insights/publication/medical-device-cybersecurity-regional-incident-preparedness-and-response
Submission
Name |
Organization |
Date |
Date Release |
Version |
CWE Content Team |
MITRE |
2023-01-25 +00:00 |
2023-01-31 +00:00 |
4.10 |
Modifications
Name |
Organization |
Date |
Comment |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated References, Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes, Taxonomy_Mappings |
CWE Content Team |
MITRE |
2023-10-26 +00:00 |
updated Demonstrative_Examples |