Search Rocket site

Git Vulnerabilities Underscore the Importance of Open-Source Support

Peter Fandel

February 16, 2023

Git's open-source distributed version control system is the most popular source code management tool today. The platform's distributed architecture provides superior raw performance, flexibility and heightened security features to ensure the integrity and authenticity of its community's source code and content history.

However, earlier this year, Git announced two security vulnerabilities (CVE-2022-41903 & CVE-2022-23521). Both vulnerabilities are ranked critical and leave source code repositories susceptible to the unintended execution of malicious code. While Git has rolled out its latest version (2.39.1) to patch these issues, many unsupported community members of the distributed system are either unaware of these vulnerabilities or lack the expertise and resources to upgrade or address them head-on.

While Git is a free and reasonably intuitive distributed system, these latest vulnerabilities underscore the importance of open-source support, with countless development teams left in limbo.

Rocket Software Open AppDev for Z Support

Rocket Software's Open AppDev for Z provides a DevOps/AppDev modernization solution entirely based on open source, empowering mission-critical enterprises and next-gen developers with preferred open-source languages and tools—including Git—to generate faster responsiveness to market needs while eliminating the costs associated with maintaining separate mainframe DevOps infrastructures. 

While Rocket Open AppDev of Z's 20 ported open-source tools and languages for IBM zSystems are available to download from Rocket Software at no cost, clients that purchase Rocket Open AppDev for Z services and support get immediate delivery of CVE patches and version currency updating—where unsupported users must wait three to six months to receive fixes.

Currently, for users running these open-source tools and languages without support, there is a substantial backlog of 57 CVE resolutions (list below), and the latest vulnerabilities jeopardize the security and accuracy of each Git user's source code and content history. While unsupported Open AppDev of Z users must wait months for CVE patches to be made public, development teams leveraging Rocket Open AppDev for Z's services and support received CVE resolution in just three business days—ensuring the integrity and safety of their companies' coding and content history.

The Git vulnerabilities are just the latest use case for open-source support. Poor software quality and errors cost companies trillions of dollars each year. While open-source software helps you modernize mainframe development, without support, it can also open your organization to development delays, security and compliance risks, and extended mean-time-to-repair of issues with no SLA contracts in place, not to mention time-consuming maintenance on your end.

In addition to Rocket Open AppDev for Z, Rocket Support for Zowe—another supported open source solution from Rocket Software—ensures your mainframe developers have access to modern open-source innovation through the Zowe open source framework from Open Mainframe Project while providing 24x7 support and security assurance from a single vendor. This means you receive immediate implementation of the latest versions and fixes to CVEs for Zowe, faster mean-time-to-repair and access to a wider range of virtual desktop applications that most Zowe users are looking for.

Find out how exclusive access to DevOps tools, the latest CVE fixes, and 24x7 expert support can help your development team take its open-source mainframe initiative to the next level. Visit the Rocket Open Source Solutions for z/OS page.

CVE (and Black Duck) vulnerability resolutions available to Rocket Open AppDev for Z users (Note: Available to unsupported users in five months)

  • Git: CVE-2022-41903 CVE-2022-23521 (both critical severity)
  • cURL: CVE-2022-32221, CVE-2022-42916, CVE-2022-43551, CVE-43552
  • gzip: CVE-2022-1271
  • perl-dbi 1.643=pl532_5 CVE-2014-10402
  • php 8.1.1=11 CVE-2022-37454
  • sudo 1.8.21p2=10 CVE-2022-43995
  • ncurses (Bash dependency): CVE-2022-29458

(Note: Available to unsupported users in three months)

  • cURL: CVE-2022-22576, CVE-2021-22924, CVE-2021-22945, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-27781, CVE-2022-27782, CVE-2022-30115, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208, CVE-2022-35252, BDSA-2022-0504, BDSA-2022-1120, BDSA-2022-1130, BDSA-2022-1336
  • Git: CVE-2022-24765, CVE-2022-29187, CVE-2022-39253, CVE-2022-39260
  • Openssl: CVE-2022-0778, CVE-2021-4160, CVE-2022-1292, CVE-2022-2068
  • Sudo: CVE-2019-14287, CVE-2019-18634, CVE-2021-2323, WS-2021-0493
  • unzip: CVE-2014-8139, CVE-2014-8140, CVE-2014-8141, CVE-2014-9636, CVE-2014-9913, CVE-2015-7696, CVE-2015-7697, CVE-2016-9844, CVE-2018-1000035, CVE-2018-18384, CVE-2019-13232 
  • ncurses (Bash dependency): CVE-2018-19211, CVE-2021-39537, CVE-2019-17594, CVE-2019-17595

Related posts


Navigating Mainframe Performance Challenges: A Roadmap to Success

How Well Do You Know the Mainframe? Celebrating 60 Years of Mainframe Computing

Make the Most of Mainframe Security Services