Critical Vulnerability CVE-2017-5638 Attacks Escalating

Critical Vulnerability CVE-2017-5638 Attacks Escalating

 Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it on Struts implementations that don't have the update installed yet. There are (at least) two working exploits publicly available, making it relatively simple to take control of web servers in a wide variety of industries.

While NIST has only had a placeholder for the CVE-2017-5638 vulnerability, we have been reporting on it to customers who have used this component since Monday (the same day the patch was released), through our Enhanced Vulnerability Data (EVD). 

Apache Struts 2 Vulnerability Data in Hub

Obviously, zero day vulnerabilities are a problem, in particular when an exploit is publicly available as in this case. By definition, no patch exists for zero day vulnerabilities, and the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble. A vulnerability in a component as popular as Struts creates a very target-rich environment for attackers with exploits already reported to be in the wild.

Fortunately, the community was quick to create, test, and release a patch. Unfortunately, it is likely that this vulnerability will cause problems for years to come. Black Duck’s 2016 on-demand audit report showed the average age of vulnerabilities in open source used in commercial applications was over five years old, and over 10% still were vulnerable to Heartbleed. 

This is evidence that even well publicized vulnerabilities are not being addressed. As to this issue, last year we found Apache Struts in over 10% of the applications we tested. When Struts was used, almost 20% of the time we found multiple versions of Struts in a single application, and almost 10% had three or more versions, further complicating remediation for a vulnerability like this. Unless organizations are diligent about tracking the open source they are using, and vulnerabilities as they are disclosed, these issues don’t get addressed.

Request a Live Demo

 

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Vulnerability Management and Triage in 3 Steps

| Mar 23, 2017

Security testing tools can help organizations build better software by identifying vulnerabilities early in the SDLC. For security professionals and developers, however, the hard work begins when the testing is complete. Once you have a list of vulnerabilities across multiple applications, what's

| MORE >

CVE-2017-2636 Strikes Linux Kernel with Double Free Vulnerability

| Mar 20, 2017

We often talk about how open source is not less secure (or more secure) than commercial software. For one thing,commercial software contains so much open source that it’s difficult to find anything that doesn’t include open source. There are, however, characteristics of open source that make it

| MORE >