Securing Open Source Software

January 10, 2024 | 8 minute read
Eric Maurice
Vice President of Security Assurance
John Heimann
Vice President, Security Program Management
Text Size 100%:

Open source software (OSS) has become a foundation of modern IT.  It is consumed in many forms: from complete solutions (Operating Systems, Programming Languages, Databases, Content Management Systems, Web Server, etc.) to embedded components in enterprise systems and consumer applications (Log4j, Struts, jackson-databind, SnakeYAML, curl, glibc, etc.) 

The security community has placed increasing emphasis on security research about OSS in recent years which has resulted in an increase of reported vulnerabilities in OSS components.  As a direct consequence, Oracle has experienced a steady increase in the number of patches it releases to address security vulnerabilities affecting OSS components used in Oracle product distributions (for example, since the April 2022 Critical Patch Update, non-Oracle CVEs consistently represent over 75% of CVEs reported in each Critical Patch Update advisory).

However, Oracle’s role in helping secure OSS is not limited to passing through security updates for OSS components included in Oracle product distributions.  Oracle is not only a large user and integrator of OSS in its products, it is also one of the industry's largest OSS contributors:

  • A top contributor to the Linux Kernel, Oracle is a platinum member of the Linux Foundation, a platinum member of the Cloud Native Computing Foundation, and a founding member of the Open Enterprise Linux Association (OpenELA).
  • Tens of thousands of Oracle developers use open-source technology in building Oracle-licensed products and Oracle Cloud services and are thus actively involved in OSS security, including finding defects and contributing updates back to upstream projects.
  • Over 700 Oracle employees are working full time on the development and maintenance of Oracle’s major OSS products (Oracle Linux, MySQL, Java, etc.) , including developers who are solely focused on security and who use security tools like static and dynamic analysis tools to detect and resolve potential security vulnerabilities.
  • Oracle actively participates in various industry groups to drive measurable improvements to the security of OSS.  Examples include working with CISA-sponsored groups driving the adoption of VEX to enable OSS users to quickly determine the exploitability of OSS issues in complex software distributions, and Oracle developers making contributions in various security publications including the Open Source Security Foundation (OpenSSF) Compiler Options Hardening Guide for C and C++

Specific examples of Oracle’s contribution to OSS security include:

  • Oracle developers created the IETF “in-transit encryption” standard and implemented it for Linux.  RPC-over-TLS brings transparent, end-to-end encryption to NFS to help ensure the security of information while data is transmitted on the network. This work was included the upstream Linux Kernel 6.4 release.  For more information, see the blog entry “Encrypting NFS data on the Wire “
  • Oracle coordinated the cross-industry security response to the “BootHole” security vulnerability in the GRUB2 bootloader. GRUB2 is the most popular bootloader for Linux and other OSes. Oracle developers are GRUB2 upstream maintainers, and they took the lead on both the disclosure coordination and the technical solutions. For more details, read the blog entry “An inside look at CVE-2020-10713, a.k.a. the GRUB2 "BootHole"”.
  • Oracle used static analysis tools to identify and fix more than 4,000 potential security vulnerabilities in the Linux kernel.
  • Oracle developed enhancements for GCC (the GNU Compiler Collection) which helped identify an additional 650 potential security vulnerabilities in the Linux kernel involving C flexible arrays.  This work has also resulted in standard software security recommendation for all C programs.
  • Oracle led the effort to implement multiprocess QEMU to run emulated devices in separate processes for isolation. Tighter security policies can be applied against the separate processes, and as a result, the attack surface is reduced compared to a monolithic QEMU process. In addition, Oracle contributed to a kernel enhancement that provides a separate kernel address for KVM when running virtual machines. This provides an extra level of protection against speculative execution exploits.
  • For years, Oracle has been making significant contributions to OpenSSL.   At KubeCon North America 2023, Oracle announced plans to open source Jipher, a Java Cryptography Extension (JCE) provider for Federal Information Processing Standards (FIPS) environments, based on latest Java technology from Project Panama and on OpenSSL.  For more information, see the blog entry “Open sourcing Jipher for FIPS regulated environments”.
  • Under the stewardship of Oracle, a number of OSS projects benefited from a focus on security; for example, secure by default installation for Oracle MySQL, and accelerated deprecation of obsolete crypto mechanisms in Oracle Java.

Oracle on-premises and cloud customers have long benefitted from the security contributions made by Oracle in OSS.    As an industry leader in security throughout the stack, from the bootloader to the hypervisor, the kernel, and the application layer, Oracle is committed to continuing to bring its expertise to bear in securing the OSS ecosystem.

Learn more about open source projects at Oracle by visiting https://oss.oracle.com/

 

Eric Maurice

Vice President of Security Assurance

With over 20 years experience in helping customers deal with securing complex IT systems, responding to cyber incidents, and developing comprehensive security strategies to manage technological risks and meet regulatory requirements, Eric Maurice helps define corporate security assurance policies and programs for Oracle’s on-premises and cloud offerings.

John Heimann

Vice President, Security Program Management

John Heimann is Vice President, Security Program Management in Oracle's Global Product Security team.

Greg Marsden


Previous Post

Crash hotplug: Kernel handling of CPU and memory hot un/plug

Eric DeVolder | 9 min read

Next Post


The Resize Inode in the Ext4 Filesystem

Srivathsa Dara | 9 min read