Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. threat analysis, news and alerts.

Apache Struts Vulnerability: There’s More to It Than Patching

9/19/2017

0 Comments

 
Apache Struts logo
Image: Apache Struts

Apache Struts Vulnerability: There’s More to It Than Patching

​Equifax claimed in its latest announcement that the vulnerability in the Apache Struts in its US online dispute portal web application caused the massive data breach affecting 143 million Americans – almost all of the adults in the US.

What is Apache Struts?

​Apache Struts is an open-source framework for developing web applications in the Java programming language. It’s used by a significant number of organizations for developing publicly-accessible web applications like airline booking systems and internet banking applications.
 
The Apache Software Foundation, a not-for-profit corporation, manages, provides organizational, legal and financial support for the Apache open-source software projects, including Apache Struts.
 
According to Equifax, the data breach that harvested names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million US citizens occurred from May 13, 2017 to July 30, 2017.
 
During this period, hackers also accessed credit card numbers for nearly 209,000 US customers, certain dispute materials with personal identifying information for almost 182,000 US customers and personal information for certain Canadian and UK residents.
 
From March 2017 to September 2017, security researchers have identified several critical vulnerabilities in Apache Struts. These include:
  • Vulnerability Name: CVE-2017-5638
Date of discovery: March 6, 2017
  • Vulnerability Name: CVE-2017-9791
Date of discovery: July 7, 2017
  • Vulnerability Name: CVE-2017-9787
Date of discovery: July 11, 2017
  • Vulnerability Name: CVE-2017-7672
Date of discovery: July 11, 2017
  • Vulnerability Name: CVE-2017-9805
Date of discovery: September 5, 2017
  • Vulnerability Name: CVE-2017-12611
Date of discovery: September 7, 2017

Notable Apache Struts Vulnerability #1: CVE-2017-5638

​CVE-2017-5638 is a remote code execution vulnerability in Apache Struts that particularly affects the Jakarta Multipart parser. Hackers exploiting this vulnerability can attack a web application, take full control of the web server and inject it with commands of their choice.
 
Nick Biasini, threat researcher at Cisco Talos, said they observed and blocked several attacks exploiting this vulnerability in Apache Struts. According to Biasini, one type of attack exploiting this vulnerability initially stops the firewall protecting the server and ultimately downloads and executes malware of their choice. 

Notable Apache Struts Vulnerability #2: CVE-2017-9805

​CVE-2017-9805 is another critical remote code execution vulnerability in Apache Struts. All web apps using the popular REST plugin of Apache Struts are particularly vulnerable. Security researchers at lgtm discovered this vulnerability. If this vulnerability is exploited, hackers can run malicious code on the app server, either take full control of the machine or launch further attacks.
 
“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” Man Yue Mo, one of the lgtm security researchers who discovered this vulnerability, said. “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.”
 
Citing analyst Fintan Ryan at RedMonk, lgtm noted that at least 65% of the Fortune 100 companies are actively using web apps built with the Apache Struts framework.

Common Patching Versus Web App Patching

​All of the above-mentioned vulnerabilities in Apache Struts have already been patched by the Apache Software Foundation. Many organizations, however, still haven’t patched their vulnerable web apps.
 
While most vulnerability fixes require only downloading a patch, installing it and rebooting a machine, fixing an Apache Struts vulnerability is different as it needs each web app to be recompiled using a patched version. In fixing an Apache Struts vulnerability, the web app code will have to be changed as opposed to just applying the vendor patch.
 
In addition to the complexity of patching a web app, organizations also have problems in getting trusted and skilled personnel to patch the web apps since most of the original web app developers have moved on to other projects or to other companies.
 
The time element between waiting for the right personnel to patch the web app and waiting for the code modification is critical. One of the preventive measures that your organization can use is virtual patching.
 
“Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them,” Imperva said.

Additional Preventive Measures

The Apache Software Foundation said in a statement, “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework.”
 
The not-for-profit organization, however, said that majority of the breaches that came to the organization’s attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
 
The Apache Software Foundation offers the following additional recommendations to prevent data breaches arising from Apache Struts vulnerabilities:
“1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.
 
“2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months.
 
“3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
 
“4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
 
“5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.”
​
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Categories

    All
    0-Day
    2FA
    Access Control
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    CASL
    Cloud Security
    Compliance
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
Resources & Tools
​Incident Management Playbook
Privacy Policy | CASL
Copyright © 2020 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit