.png)
Content |
The Apache Software Foundation (ASF) is a non-profit foundation organized on March 25, 1999 by employees of the Apache Group. The headquarters is located in the city of Dalaver (USA). The ASF is a proponent of open source software and lives off Finin influences from the largest IT corporations, which include Google, Yahoo! and even Microsoft. If earlier the organization was exclusively engaged in supporting its products and development, today the main responsibility of ASF is the legal protection of products and the Apache brand itself. It is noteworthy that ASF employees are mainly enthusiasts, participants in many other open source projects in the field of information technology.
History
2025: Critical hole in Apache ActiveMQ allows you to hack the system remotely
FSTEC in the twentieth of October sent a warning about the discovery of a critical vulnerability BDU:2025-13133[1] in the library of the Apache ActiveMQ software platform, which allows an intruder acting remotely to execute arbitrary code on the client side. The CVSS error criticality is listed as 9.8 (out of 10). The development community has released fixes that experts recommend to quickly install.
The Apache ActiveMQ software platform is a multi-protocol, open source message broker based on, Java implementing the standard Java Message Service (JMS) messaging API, which is used for asynchronous data transfer between different applications and systems.
The Apache ActiveMQ NMS AMQP library, which combines the.NET Messaging Service (NMS) API and the standard Advanced Message Queuing Protocol (AMQP), was vulnerable. The error belongs to the class of recovery in memory of invalid data (CWE-502), that is, it is associated with unauthorized deserialization of Java executable objects. Library versions up to and including 2.3.0 are vulnerable.
 | The vulnerability allows a remote attacker to execute arbitrary code on the server simply by sending a specially crafted message, "warned TAdviser readers Igor Bederov, director of the investigation department at T.Hunter. - This is a classic RCE vulnerability. Depending on the configuration and rights under which ActiveMQ operates, an attacker can gain full control over the system - install programs, view, change or delete data, create new accounts. |  |
Since.NET technology is used to create heterogeneous infrastructures that combine Linux and Windows, in Russia such a tool is quite popular. However, the Apache ActiveMQ broker is deployed mainly within corporate IT infrastructures, but this vulnerability can be exploited remotely using a specially prepared message. Moreover, the distribution of such messages can be made massive.
| | Although exploitation requires certain technical knowledge and specific conditions, the nature of the vulnerability (recovery of incorrect data from memory) makes it potentially suitable for mass attacks in cases where organizations use vulnerable versions of the library without updates and traffic protection, warned TAdviser readers Kirill Levkin, MD Audit project manager. - The threat is especially high in distributed systems with external connection points. | |
The library can be used in various message processing systems. In some cases, message transmission systems are based on open codes of the Apache project, but it is not easy for the user to guess about this. Therefore, companies should control the behavior of all messaging points, especially if they know that they have an Apache ActiveMQ broker installed in their infrastructure.
| | Apache ActiveMQ is used in many Russian companies, "said TAdviser Mikhail Sergeyev, a leading CorpSoft24 engineer. - The application is common in the banking sector, among telecom operators and in general in those IT sectors where the exchange of messages between systems is required. This platform is often embedded in finished products and services, so the exact number of installations is difficult to estimate. | |
The main protection measure is the prompt update of components from trusted sources after an internal risk assessment. However, Kirill Lyovkin also recommends enabling security event logging, using Web Application Layer (WAF) firewalls to filter suspicious traffic, and secure communication channels for secure remote access to the message broker. In addition, it is worth engaging in network segmentation, limiting the interaction of ActiveMQ only with trusted services, and monitoring anomalies in messaging.
2019
Transfer all projects to GitHub
On April 29, 2019, the Apache Software Foundation, a nonprofit organization considered to be the world's largest open source software development community, announced it was moving all of its projects to GitHub.
Previously, two version control systems were used to develop Apache projects: a centralized version control system Subversion and a decentralized Git system. However, as the popularity of GitHub grew, the authors of projects and communities increasingly wanted their code to be placed on this service, explained in Apache.
At the end of April 2019, the fund completed the integration of its infrastructure with GitHub and the transfer of all its git services to this portal.
We are talking about 350 projects and 200 million lines of code. They were accessed by the vast GitHub community, which by the end of April 2019 has more than 21 million developers, over 2 million companies and organizations, and the number of repositories in the service exceeds 100 million. The Apache Software Foundation includes 700 members and more than 7 thousand developers who write code for projects.
Since 2014 , read-only Apache repository mirrors have been launched on GitHub. In 2016, the foundation began integrating its services with the GitHub repository and tools.
At the end of April 2019, the GitHub repositories were transferred to the primary category and can be used to make and review changes. Apache's own git services have been switched to work as spare mirrors.
It is assumed that using GitHub instead of its own infrastructure will help Apache simplify project work and use the tools already familiar to many new developers to transfer changes, discuss and review code, as well as organize interaction with developers of other projects. [2] ]
Software development volume amounted to $20 billion
According to the fund, it provides free Open Source software worth more than $20 billion. Since the founding of ASF, the number of projects developed under Apache has exceeded 350 (of which 52 are in the incubator), they cover areas such as machine learning, big data, software assembly management, cloud systems, content management, DevOps, IoT, mobile application development, server systems and web frameworks.
Open source projects come under ASF's wing as they are attracted to the flexibility of the foundation's organizational model and the opportunity it provides for collaborative development. However, in addition to ASF-associated projects, there are thousands of other projects that are not members, but nevertheless release their products under the Apache license.
The Apache license is an open permissive (permissive) license that gives access to an open code base and encourages the possible contribution of independent contributors to it. The main advantage of the Apache license is not only its openness, but also that it allows suppliers to layer target code over an open code base to develop (and sell) enterprise solutions.
ASF was able to create a neutral, independent of individual manufacturers and a credible platform for developing open source software developed by the community. The development is supervised by more than 7,000 contributors. The code base of all Apache projects has more than 200 million lines. Over 20 years, 3 million changes have been adopted into the project codebases, covering more than a billion lines of code.
1994-1999
The foundation's history is directly related to Apache HTTP Server, the organization's most popular product. Work on this solution began back in 1994. A group of eight developers founded the company, which was originally named the Apache Group and only then reorganized into a non-profit foundation. The first official management meeting of the Apache Software Foundation was held on April 13, 1999, and on the basis of general consent, the list of members of the Apache Software Foundation was approved. They were Brian Beldorf, Ken Kor, Mark Cox, Lars Elberht, Ralph S. Engelshal, Roy T. Fielding, Dean Gaudet, Ben Hyde, Jim Jagelski, Alexey Kozut, Martin Kramer, Ben Lawrie, Doug McEckern, Aram Mirzade, Samir Perk, Cliffe Turscolnick, Mark Sladge and Sattton, Dirdton
Interesting facts
Initially, the company was engaged in the development of patches for various programs. From this came the word A PAtCHy, which was transformed into Apache.
Products
- Apache HTTP Server
- Apache Ant
- Apache Cocoon
- Apache Jackrabbit
- Apache Harmony
- Apache Portable Runtime
- Apache DB
- Apache Directory Server
- Apache Excalibur
Notes
- ↑ BDU:2025-13133
- ↑ [In 2016, the foundation began integrating its services with the GitHub.https repository and tools ://www.zdnet.com/article/apache-hooks-up-with-github/Apache hooks up with GitHub
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |