hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015Denial of service is the most commonly reported category; however, it is not the most critical.OGNL expression injection is the most commonly reported critical category; however, at 7percent it affects only a small fraction of applications reviewed. The majority of projects inheritdenial of service, cross-site scripting, and insecure SSL issues from third-party libraries.Figure 29. Top 10 popular libraries and unique CVE distribution6Unique CVE count% project30%Unique CVE count543228%25%2 2519% 19%417%316%14%5412% 12%310%25%20%15%10%% project count (library usage)11 15%0commons-file-upload :commons-fileuploadcommons-httpclient :commons-httpclientstruts : strutsorg.springframework :springwebaxis : axisxerces : xerceslmplorg.springframework :spring-webvmcorg.apache.santuario :xmlsecxalan : xalanorg.apache.httpcomponents :httpclient0%Popular libraries have on average three issues, while most have fewer than five issues.Libraries with the most vulnerabilities are less popular. They also produce fewer releases.Figure 30. Top 10 vulnerable libraries by unique CVE and severity distribution60Unique CVE count20181614121086420187%org.apache.struts :struts2-coreUnique CVE count Component version count % project616org.apache.struts.xwork :xwork-core15152 2 22% 2% 1%org.apache.tomcat :tomcat-catalinaorg.apache.tomcat :catalina145%com.opensymphony :xwork212opensymphony :xwork1 161% 1%19%org.mortbay.jetty :struts : struts54719%145 412%org.apache.santuario :xmlsecorg.springframework :spring-web25%20%15%10%5%0%% project count (library usage)