Orca Security Research Reveals How Software Industry Unwittingly Distributes Virtual Appliances with Known Vulnerabilities
Software vendors are often distributing their wares on virtual appliances with exploitable and fixable vulnerabilities, and running on outdated or unsupported operating systems:
The Orca Security research study found 401,571 total vulnerabilities in scanning 2,218 virtual appliance images from 540 software vendors.
The research has started to move the cloud security industry to a safer future. Since alerting vendors of these risks, 287 products have been updated and 53 removed from distribution, leading to 36,938 discovered vulnerabilities being addressed.
For example, Dell EMC issued a critical security advisory; Cisco published fixes to 15 found security risks; and IBM, Symantec, Kaspersky Labs, Oracle, Splunk, ZOHO and Cloudflare all removed outdated or vulnerable virtual appliances.
The “Orca Security 2020 State of Virtual Appliance Security” report found that as evolution to the cloud is accelerated by digital transformation across industries, keeping virtual appliances patched and secured has fallen behind. The report illuminated major gaps in virtual appliance security, finding many are being distributed with known, exploitable and fixable vulnerabilities and on outdated or unsupported operating systems.
To help move the cloud security industry towards a safer future and reduce risks for customers, Orca Security analyzed 2,218 virtual appliance images from 540 software vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking.
Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments.
“Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems,” said Avi Shua, Orca Security CEO and co-founder. “The Orca Security 2020 State of Virtual Appliance Security Report shows how organizations must be vigilant to test and close any vulnerability gaps, and that the software industry