The news of this vulnerability comes as we’re still picking up the pieces from the Log4j vulnerability disclosed in December, so it serves as a stark reminder of the frequency with which open source vulnerabilities can surface. Vulnerabilities such as these often necessitate a significant overhaul, but organizations with consistent visibility into the software that powers their business can spend less time on exposure evaluation and more time on remediation. This is what makes a continuously updated software Bill of Materials (SBOM) the key to getting and staying ahead of attackers when the next open source vulnerability is found.
The PolKit package isn’t something that developers just decide to pull into an application they’re developing, rather it comes along for the ride any time the affected Linux distributions are being used as the operating system – it’s sort of a “package deal,” no pun intended. Considering the widespread use of Linux, this introduces a unique risk, especially to organizations developing IoT devices, embedded systems, and virtual machine templates. To evaluate and solve this unique risk, Synopsys’ Black Duck software composition analysis (SCA) provides users with signature and binary analysis, so they can analyze firmware, determine if the vulnerable Linux distributions are included, and be armed with a complete list of any additional components included in their firmware and VMs.
Armed with your comprehensive SBOM, Black Duck Security Advisories (BDSAs) provide an added layer of protection, with same-day notification of newly reported vulnerabilities. In the case of PolKit, Black Duck customers are busy working on remediation, while at the time of this blog, NVD data remains a gap.