An often-overlooked aspect of vulnerability management are software components that exist on a system, such as PHP, Apache Struts, and Ghostscript. These components are often dependencies to other applications. If the packages are installed through a normal package manager, like yum or apt, updates should be applied during periodic updates. There are three things to be aware of, though:
- If a package goes end of life, like what is about to happen PHP5, updates may simply and silently stop being applied, leaving a potentially vulnerable piece of software running on a system.
- If a component is custom compiled, a package manager will not apply updates. Note: this is an argument in favor of using binaries provided by main stream repositories
- Vulnerability scans may not be able to detect vulnerabilities in such components, particularly if using unauthenticated scans.
As we move toward infrastructure-as-code, maintaining these inventories should be less taxing, since the configuration definition for systems should explicitly contain the packages installed. If not, then you’re doing IAC wrong.
Create a list of all these components that exist in your environment, and determine what process is used to identify a vulnerability in them and ensure each is updated when necessary. Many may be updated in the normal course of running operating system updates, while others may require manual tracking to identify when to download, compile, and install updated source code.
It’s hard to manage what you don’t know you have.