Apache Struts Vulnerability: There’s More to It Than Patching

Image: Apache Struts

Apache Struts Vulnerability: There’s More to It Than Patching

​Equifax claimed in its latest announcement that the vulnerability in the Apache Struts in its US online dispute portal web application caused the massive data breach affecting 143 million Americans – almost all of the adults in the US.

What is Apache Struts?

​Apache Struts is an open-source framework for developing web applications in the Java programming language. It’s used by a significant number of organizations for developing publicly-accessible web applications like airline booking systems and internet banking applications.
 
The Apache Software Foundation, a not-for-profit corporation, manages, provides organizational, legal and financial support for the Apache open-source software projects, including Apache Struts.
 
According to Equifax, the data breach that harvested names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million US citizens occurred from May 13, 2017 to July 30, 2017.
 
During this period, hackers also accessed credit card numbers for nearly 209,000 US customers, certain dispute materials with personal identifying information for almost 182,000 US customers and personal information for certain Canadian and UK residents.
 
From March 2017 to September 2017, security researchers have identified several critical vulnerabilities in Apache Struts. These include:

• Vulnerability Name: CVE-2017-5638

Date of discovery: March 6, 2017

• Vulnerability Name: CVE-2017-9791

Date of discovery: July 7, 2017

• Vulnerability Name: CVE-2017-9787

Date of discovery: July 11, 2017

• Vulnerability Name: CVE-2017-7672

Date of discovery: July 11, 2017

• Vulnerability Name: CVE-2017-9805

Date of discovery: September 5, 2017

• Vulnerability Name: CVE-2017-12611

Date of discovery: September 7, 2017

Notable Apache Struts Vulnerability #1: CVE-2017-5638

​CVE-2017-5638 is a remote code execution vulnerability in Apache Struts that particularly affects the Jakarta Multipart parser. Hackers exploiting this vulnerability can attack a web application, take full control of the web server and inject it with commands of their choice.
 
Nick Biasini, threat researcher at Cisco Talos, said they observed and blocked several attacks exploiting this vulnerability in Apache Struts. According to Biasini, one type of attack exploiting this vulnerability initially stops the firewall protecting the server and ultimately downloads and executes malware of their choice. 

Notable Apache Struts Vulnerability #2: CVE-2017-9805

​CVE-2017-9805 is another critical remote code execution vulnerability in Apache Struts. All web apps using the popular REST plugin of Apache Struts are particularly vulnerable. Security researchers at lgtm discovered this vulnerability. If this vulnerability is exploited, hackers can run malicious code on the app server, either take full control of the machine or launch further attacks.
 
“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” Man Yue Mo, one of the lgtm security researchers who discovered this vulnerability, said. “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.”
 
Citing analyst Fintan Ryan at RedMonk, lgtm noted that at least 65% of the Fortune 100 companies are actively using web apps built with the Apache Struts framework.

Common Patching Versus Web App Patching

​All of the above-mentioned vulnerabilities in Apache Struts have already been patched by the Apache Software Foundation. Many organizations, however, still haven’t patched their vulnerable web apps.
 
While most vulnerability fixes require only downloading a patch, installing it and rebooting a machine, fixing an Apache Struts vulnerability is different as it needs each web app to be recompiled using a patched version. In fixing an Apache Struts vulnerability, the web app code will have to be changed as opposed to just applying the vendor patch.
 
In addition to the complexity of patching a web app, organizations also have problems in getting trusted and skilled personnel to patch the web apps since most of the original web app developers have moved on to other projects or to other companies.
 
The time element between waiting for the right personnel to patch the web app and waiting for the code modification is critical. One of the preventive measures that your organization can use is virtual patching.
 
“Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them,” Imperva said.

Additional Preventive Measures

The Apache Software Foundation said in a statement, “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework.”
 
The not-for-profit organization, however, said that majority of the breaches that came to the organization’s attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
 
The Apache Software Foundation offers the following additional recommendations to prevent data breaches arising from Apache Struts vulnerabilities:
“1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.
 
“2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months.
 
“3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
 
“4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
 
“5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.”
​