The Open Source Technology Improvement Fund (OSTIF), funded by Amazon Web Services (AWS), recently commissioned an audit of three Apache Commons projects: Apache Commons Lang, Apache Commons IO and Apache Commons Codec. We are proud to announce that Ada Logics, who performed the audit, did not find any vulnerabilities.
The Apache Commons libraries are low-level building blocks, often used in internal applications on trusted input. As such, unless otherwise specified, it is the responsibility of the application invoking the libraries to make sure any untrusted parameters are sanitized. When that layer of defense fails, we try to limit the possible impact of such a breach by making sure malicious or otherwise invalid input can cause minimal disruption. During their analysis, which included both manual auditing and code fuzzing, Ada Logics identified a number of new opportunities for such security hardening improvements, and contributed code to implement several of these.
We thank Amazon Web Services (AWS), OSTIF and Ada Logics for their help in ensuring the security of projects that use Apache Commons.
You can find additional information about this audit at the OSTIF blog.