OSTIF is proud to share the results of our security audit of the Apache Commons libraries IO, Lang, and Codec. Apache Commons libraries are open source extensions to the Java Development Kit (JDK). With the help of Ada Logics and Amazon Web Services, these three libraries will healthily continue to support JDK users. 

Audit Highlights:

This audit was scoped around the three JDK libraries under the Apache Commons: IO, Lang, and Codec. Each of these libraries was reviewed manually and with static analysis testing. As well, each underwent a threat modeling documentation exercise to help the auditors further understand the security implications of each library. All libraries received individual fuzz testing work to provide ongoing testing and results to help refine and further improve security. 

Audit Results:

  • 3 customized threat models and documentation for each audited library 
  • Reported 15 issues with security impact
    • 4 Medium Severity
  • Submitted 9 fixes
  • Extended 3 existing OSS-Fuzz projects
  • Created 28 new fuzzers for the libraries, resulting in overall improved code coverage
    • Codec: +8 fuzzers
    • IO: +9 fuzzers
    • Lang: +12 fuzzers

Security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. 

Thank you to the individuals and groups that made this engagement possible:

  • Apache Commons maintainers and community, notably Arnout Engelen, Gary Gregory, and the Apache Security Team
  • Ada Logics- “Arthur” Sheung Chi Chan, Adam Korczynski, and David Korczynski
  • Amazon Web Services

You can read the Audit Report HERE

You can read Apache’s blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].