1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

9/19/2017

0 Comments

Apache Struts Vulnerability: There’s More to It Than Patching

 
Apache Struts logo
Image: Apache Struts

Apache Struts Vulnerability: There’s More to It Than Patching

​Equifax claimed in its latest announcement that the vulnerability in the Apache Struts in its US online dispute portal web application caused the massive data breach affecting 143 million Americans – almost all of the adults in the US.

What is Apache Struts?

​Apache Struts is an open-source framework for developing web applications in the Java programming language. It’s used by a significant number of organizations for developing publicly-accessible web applications like airline booking systems and internet banking applications.
 
The Apache Software Foundation, a not-for-profit corporation, manages, provides organizational, legal and financial support for the Apache open-source software projects, including Apache Struts.
 
According to Equifax, the data breach that harvested names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million US citizens occurred from May 13, 2017 to July 30, 2017.
 
During this period, hackers also accessed credit card numbers for nearly 209,000 US customers, certain dispute materials with personal identifying information for almost 182,000 US customers and personal information for certain Canadian and UK residents.
 
From March 2017 to September 2017, security researchers have identified several critical vulnerabilities in Apache Struts. These include:
  • Vulnerability Name: CVE-2017-5638
Date of discovery: March 6, 2017
  • Vulnerability Name: CVE-2017-9791
Date of discovery: July 7, 2017
  • Vulnerability Name: CVE-2017-9787
Date of discovery: July 11, 2017
  • Vulnerability Name: CVE-2017-7672
Date of discovery: July 11, 2017
  • Vulnerability Name: CVE-2017-9805
Date of discovery: September 5, 2017
  • Vulnerability Name: CVE-2017-12611
Date of discovery: September 7, 2017

Notable Apache Struts Vulnerability #1: CVE-2017-5638

​CVE-2017-5638 is a remote code execution vulnerability in Apache Struts that particularly affects the Jakarta Multipart parser. Hackers exploiting this vulnerability can attack a web application, take full control of the web server and inject it with commands of their choice.
 
Nick Biasini, threat researcher at Cisco Talos, said they observed and blocked several attacks exploiting this vulnerability in Apache Struts. According to Biasini, one type of attack exploiting this vulnerability initially stops the firewall protecting the server and ultimately downloads and executes malware of their choice. 

Notable Apache Struts Vulnerability #2: CVE-2017-9805

​CVE-2017-9805 is another critical remote code execution vulnerability in Apache Struts. All web apps using the popular REST plugin of Apache Struts are particularly vulnerable. Security researchers at lgtm discovered this vulnerability. If this vulnerability is exploited, hackers can run malicious code on the app server, either take full control of the machine or launch further attacks.
 
“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” Man Yue Mo, one of the lgtm security researchers who discovered this vulnerability, said. “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.”
 
Citing analyst Fintan Ryan at RedMonk, lgtm noted that at least 65% of the Fortune 100 companies are actively using web apps built with the Apache Struts framework.

Common Patching Versus Web App Patching

​All of the above-mentioned vulnerabilities in Apache Struts have already been patched by the Apache Software Foundation. Many organizations, however, still haven’t patched their vulnerable web apps.
 
While most vulnerability fixes require only downloading a patch, installing it and rebooting a machine, fixing an Apache Struts vulnerability is different as it needs each web app to be recompiled using a patched version. In fixing an Apache Struts vulnerability, the web app code will have to be changed as opposed to just applying the vendor patch.
 
In addition to the complexity of patching a web app, organizations also have problems in getting trusted and skilled personnel to patch the web apps since most of the original web app developers have moved on to other projects or to other companies.
 
The time element between waiting for the right personnel to patch the web app and waiting for the code modification is critical. One of the preventive measures that your organization can use is virtual patching.
 
“Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them,” Imperva said.

Additional Preventive Measures

The Apache Software Foundation said in a statement, “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework.”
 
The not-for-profit organization, however, said that majority of the breaches that came to the organization’s attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
 
The Apache Software Foundation offers the following additional recommendations to prevent data breaches arising from Apache Struts vulnerabilities:
“1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.
 
“2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months.
 
“3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
 
“4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
 
“5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.”
​
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit