Legit Security Discovers “MarkdownTime”, A Vulnerability in Markdown Services Affecting GitHub, GitLab and Countless Others

TEL AVIV, Israel, Jan. 19, 2023 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announced that it discovered an easy to exploit Denial–of–Service (DoS) vulnerability in Markdown libraries used by GitHub, GitLab and countless other applications using a popular markdown rendering service called commonmarker. Coined "MarkdownTime", a vulnerable version of the commonmarker service allows an attacker to deploy a simple DoS attack that would shut down innumerable digital business services across the globe by disrupting their application development pipelines. More information on the vulnerability and how to mitigate the risks are found on a technical disclosure blog found here.

Markdown refers to creating formatted text using a plain text editor which is commonly found in software development tools and environments. A wide range of applications and projects implement these popular open source markdown libraries, such as the popular variant found in GitHub's implementationGFM (GitHub Flavored Markdown). In this case, Legit Security researchers found that it was simple to trigger unbounded resource exhaustion leading to a Denial–of–Service attack which could take down the service. After bringing this vulnerability to the attention of the GitHub security team, GitHub recognized the issue and posted a formal acknowledgement and fix which can be found here: CVE–2022–39209. It should be noted that many other tools and services may also be susceptible to the same vulnerability.

"Open–source libraries are ubiquitous in modern software development, but when vulnerabilities emerge, they can be very difficult to track due to uncontrolled copies of the original vulnerable code," said Liav Caspi, CTO and co–founder of Legit Security. "When a library becomes popular and widespread, a vulnerability inside of it could potentially enable an attack on countless projects. Those attacks can include disruption of critical business services, such as crippling the software supply chain and the ability to release new business applications."

This is exactly what the Legit Security research team saw with MarkdownTime: a copy of the vulnerable GFM implementation was found in commonmarker, the popular Ruby package implementing Markdown support, which has more than 1 million dependent repositories. The Legit Security team found implementations across several business critical source code management services, among them GitHub and GitLab. Using this exploit, an unauthenticated attacker can bring down entire software production pipelines and causing significant damage to organization's digital business initiatives. Many other services beyond just software development environments may also be vulnerable to costly business disruption.

The Legit Security research team has disclosed this security issue to the maintainer of commonmarker, as well as to both GitHub and GitLab. All of them have fixed the issues, but many more copies of this markdown implementation have been deployed and are in use. An in–depth description of MarkdownTime, along with information on how to protect organizations and projects, can be found in Legit Security's blog.

Legit Security

Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.

Media Contact
Tony Keller
OutVox
tkeller@outvox.com


GLOBENEWSWIRE (Distribution ID 8732969)

Report on the Sustainability Governance Practices of the 30 Largest Global Banks Comes Up With Interesting Findings

LONDON, Jan. 19, 2023 (GLOBE NEWSWIRE) — Morrow Sodali and Nestor Advisors – A Morrow Sodali Company, are pleased to announce the publication of "Governance of sustainability in the largest global banks: A study of the top 30 European and North American banks".

This Report examines the sustainability governance practices of the 30 largest European and North American banks. In preparing the Report, we reviewed various publicly available documentation and also interviewed representatives from fifteen leading banks, including nine board chairs, other board members and senior executives. Interviewees shed light on different practices, and why banks chose to pursue them. The resulting Report compares the banks across several data points and analyzes these findings against a double index of sustainability and financial performance.

Stilpon Nestor, the Report's leading author stated, "Sustainability is one of the big issues facing banks and their leadership. Shareholders and various stakeholders, including regulators, expect banks to be proactive in sustainability. On the strategy side, the "greening of the book" is the big challenge, especially in markets with big "brown" sectors. On the risk side, some regulators expect banks to integrate sustainability risk within the core risk management framework and its key categories. They also expect a clear sustainability perspective in the risk appetite framework. In order to deliver in these areas, global banks have reshaped existing governance and organizational arrangements and have developed some new ones. Our Report examines these arrangements and comes up with interesting, sometimes counterintuitive, findings."

Among these findings, the issue of board skills in relation to sustainability was highlighted. All of the banks we interviewed do not see having sustainability experts on the board as a priority. Their priority is to make their existing board members more cognizant in the sustainability area. In that sense, they emphasize the development of director skills.

How does a board structure itself to address sustainability? In many cases, this is done by setting up a new committee. However, structure often reflects the level of maturity of the issues in a bank. One interesting finding of the Report is that banks further advanced in the "maturity spectrum" have done away with special committees and discuss sustainability as part of the general strategy and risk appetite.

Another key finding relates to the role of management in ensuring all business functions strengthen their capabilities to understand sustainability. This is an issue that touches upon all business areas of a bank, whether it is a corporate, retail or private bank, as well as risk, finance and internal audit functions. That is why most global banks have created senior management committees to oversee this transversal work. The seniority of the members of this committee is key. In 50% of the banks, the CEOs themselves are heading this senior coordinating committee.

Most banks have also included sustainability parameters in their executive remuneration approach. The Report finds that in the best performing ones, sustainability considerations have a relatively significant "weight" among other factors in determining variable compensation.

We hope you find this study insightful, and that the findings will be helpful from the perspective of all stakeholders. Click here to request the Report in full.

ABOUT MORROW SODALI

Morrow Sodali is a leading provider of strategic advice and shareholder services to corporate clients around the world. The firm provides corporate boards and executives with strategic advice and services relating to corporate governance, ESG, shareholder and bondholder communication and engagement, capital markets intelligence, proxy solicitation, shareholder activism and mergers and acquisitions.

From headquarters in New York and London, and offices and partners in major capital markets, Morrow Sodali serves over 1,000 corporate clients in 80+ countries, including many of the world's largest multinational corporations. In addition to listed and private companies, its clients include financial institutions, mutual funds, ETFs, stock exchanges and membership associations.

For more information, please visit morrowsodali.com.

ABOUT NESTOR ADVISORS

Nestor Advisors is the specialized board and governance advisory subsidiary of Morrow Sodali. We are a global advisory firm specializing in corporate governance, sustainability and organizational design, and work with the boards and senior management of financial institutions, companies and not–for–profit organizations to improve decision making, organizational structures, controls and incentives.

Fully integrated with Morrow Sodali, the two companies provide the firm's global client base with a comprehensive suite of advisory services relating to corporate governance, ESG, sustainability and stakeholder engagement.

Our services span a broad spectrum including holistic assessments yielding a significant redesign of a company's governance system, board evaluations, group governance, board training, risk management, and the development of specific policies and controls. Whatever the scope, our services are always closely tailored to our clients' needs.

For more information, please visit nestoradvisors.com.

CONTACTS

Elena Cargnello
Corporate Director, Marketing
e.cargnello@morrowsodali.com
+44 (0)20 4513 6913


GLOBENEWSWIRE (Distribution ID 8732968)