4

We are using a software suite for automation of FTP traffic. It uses the Apache Mina FtServer component as an embedded FTP server (for FTPS and SFTP).

The use of this library has been flagged as a security concern. The reasoning given was the age of the library (main development was done in 2008), and the low number of changes (no real changes since 2011). See the changes summary here.

The testers did indicate that there a no publicly known security issues for this library.

I'm not sure how to evaluate this risk. I would think that a stable open source library with no known issues would be a good thing.

  1. Is this a real risk, is the library an issue?
  2. Is the age of the library in itself a concern?
  3. Is the maintenance state a concern?
  4. Does the fact that it is maintained by Apache a pro?
  5. Are there security concerns for this library?
oɔɯǝɹ
  • 528
  • 2
  • 6
  • 18
  • 1
    we can't do security audits on random open source code, but the other parts of the question are ok – schroeder Jul 13 '17 at 22:36
  • 1
    I don't get it, there's been patch applied in April to this library according to your link. When checking the [bug tracker](https://issues.apache.org/jira/projects/FTPSERVER/issues/FTPSERVER-462?filter=allopenissues) there's seem to have been a "break" in the maintainers activities on it but is sounds they're catching up on open issues. – Tensibai Jul 21 '17 at 10:09
  • Whether the server is secure or not, [FTP by itself is shit](http://mywiki.wooledge.org/FtpMustDie). Is there any reason you can't use SFTP (based on SSH)? – André Borie Jul 26 '17 at 12:33
  • @Andre, we don't use FTP, we use FTPS or SFTP, depending on partner capabillities. That is not subject of this question. – oɔɯǝɹ Jul 26 '17 at 12:35
  • Well FTPS has the same issues as FTP regarding the lack of reliability. – André Borie Jul 26 '17 at 14:51
  • @Andre, this is not really the place for a discussion on the merits of FTPS vs SFTP. – oɔɯǝɹ Jul 26 '17 at 15:26

3 Answers3

5

I'll try to answer the questions with the following explanation.

Describing the lack of development only is not a risk. But that is matter of opinion as well. But, the dependencies of your library (for example Java, and others) might be. This means that for example the library might be (known) bug free, and stable indeed. But the underlying Java version might become the problem, introducing known vulnerabilities.

In order to asses that, you should audit the library including dependencies to say something useful about it.

Risk assessment

Also you should take in consideration the likelihood. Is this only accessible behind a Virtual Private Network (VPN) or behind a SSH tunnel with Private Keys in place, or both? Or is it open to the whole world? Then also consider the possible impact. Are there two users on the platform or twenty thousand? Can they open some media files only? Or highly confidential and classified information?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • We're running on Java 1.8, and had no trouble upgrading the runtime. – oɔɯǝɹ Jul 21 '17 at 10:56
  • @oɔɯǝɹ so in that case. The risks that apply are related to the last upgraded Java version and possibly other dependencies of the Apache Mina FtpServer. Yet, than still the library itself should be audited in order to say something useful about it. – Bob Ortiz Jul 21 '17 at 11:01
2

The key point here is that the it is not the age of the library that is a problem. On the contrary. But it is a problem if a library is unmaintained and this problem becomes (very slightly) bigger if the library is old because that increases the risk that unfixed vulnerabilities exist.

1. Is this a real risk, is the library an issue? 5. Are there security concerns for this library?

Determining this would require taking into account you security requirements and adversarial model and potentially doing a security audit. Giving an answer is out of scope here.

2. Is the age of the library in itself a concern?

Actually, when a project is well maintained having a certain age can be beneficial because many security flaws will have been found and fixed.

3. Is the maintenance state a concern?

Absolutely, an unmaintained project will mean that new security flaws when found might not be fixed and you would have to fix them yourself or replace the library.

4. Does the fact that it is maintained by Apache a pro?

I don't think the organizational structure of the Apache foundation allows that conclusion. There are too many people and projects running things differently.

Elias
  • 1,915
  • 1
  • 9
  • 17
1

oɔɯǝɹ, as was mentioned, it is hard to do much of a security audit based off of some of the vague information provided.

I imagine that you have some understanding and awareness of typical security issues since you are actually here and asking about the security of an FTP related service.

Still, there are certainly aspects of this which are often questionable when it comes to security (old / presumably no longer supported, FTP related). Also, Open Source is great - when it is maintained and I like to think that consequently the 'white hats' can outweigh the 'black hats' heh.

Personally, I would find another solution because even if you skate by without a security issue for now, you are likely going to be looking for a new solution sooner than later. (I'm just presuming this based on my own experience). A main concern, just to be clear and this may be why you asked the question in the first place, is that software which has not undergone development for so long (I mean, that is coming on a DECADE) has a decent chance of eventually being exploited in some way and there is no one out there to watch for it and fix it, let alone even report it.

To answer your 5 questions, though (and hopefully get a bounty or a point so I can escape the newbie points sandbox :-p):

  1. Sort of just went over the possible ways it could be a risk. You could look at it from another perspective, though, and see if there is anyone (ideally more than one!) who also stil uses it.

If said group is using it, then you could possibly rely on them being a sort of 'canary in a coal mine.' Though that analogy is clearly not terribly sound in this field heh..

  1. Yes, the age of the library would be a concern. The one thing it has going for it is that it is connected, however distantly, to the Apache Foundation.

    1. Yes, the maintenance state would be a concern for me as well - see the beginning of my answer as to why.

    2. Heh, I hadn't looked ahead on the questions, I swear! :-p ... see response to Question 2

    3. Yes, there are potential security concerns. However, they are all speculative. Another way to possibly get something more concrete is to do some Link research, Domain research, and maybe some research on any others still using it (if there are any) - as well as taking that fact itself (pertaining to any remaining users) into serious consideration.

Good luck and feel free to check back in about it! Good rule of thumb is to try and stay up to date with software! But I suppose, sometimes not TOO up to date that you are just the guinea pig / bug finder ha.

Cheers