Dubbed Operation Rosehub, the initiative was volunteered by some 50 Google employees, who utilized 20 percent of their work time to patch over 2600 open source projects on Github, those were vulnerable to "Mad Gadget vulnerability."
Mad Gadget vulnerability (CVE-2015-6420) is a remote code execution bug in the Java deserialization used by the Apache Commons Collections (ACC) library that could allow an unauthenticated, remote attacker to execute arbitrary code on a system.
The ACC Library is widely deployed by many Java applications to decode data passed between computers. To exploit this flaw, all an unauthorized attacker need to do is submit maliciously crafted input to an application on a targeted system that uses the ACC library.
Once the vulnerable ACC library on the affected system deserializes the content, the attacker could remotely execute arbitrary code on the compromised system, which could then be used to conduct further attacks.
Remember ransomware attack on Muni Metro System? Late last year, an anonymous hacker managed to infect and take over more than 2,000 computers using this same Mad Gadget flaw in the software used to operate San Francisco's public transport system.
Following the public disclosure of the Mad Gadget flaw, almost every commercial enterprise including Oracle, Cisco, Red Hat, VMWare, IBM, Intel, Adobe, HP, Jenkins, and SolarWinds formally disclosed that they had been impacted by this vulnerability and patched it in their software.
However, few months after all big businesses patched the flaw, one of the Google employees noticed that several prominent open source libraries were still depending on the vulnerable versions of ACC library.
"We recognized that the industry best practices had failed. An action was needed to keep the open source community safe. So rather than simply posting a security advisory asking everyone to address the vulnerability, we formed a task force to update their code for them. That initiative was called Operation Rosehub," Justine Tunney, Software Engineer on TensorFlow, wrote on Google Open Source Blog.Under Operation Rosehub, patches were sent to many open source projects, although the Google employees were only able to patch open source projects on GitHub that directly referenced vulnerable versions of ACC library.
According to the Open Source Blog, if the San Francisco Municipal Transportation Agency's software systems had been open source, Google engineers would also have been able to deliver patches for Mad Gadget to them, and their systems would have never been compromised.