Critical Vulnerability CVE-2017-5638 Attacks Escalating

Critical Vulnerability CVE-2017-5638 Attacks Escalating

 Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it on Struts implementations that don't have the update installed yet. There are (at least) two working exploits publicly available, making it relatively simple to take control of web servers in a wide variety of industries.

While NIST has only had a placeholder for the CVE-2017-5638 vulnerability, we have been reporting on it to customers who have used this component since Monday (the same day the patch was released), through our Enhanced Vulnerability Data (EVD). 

Apache Struts 2 Vulnerability Data in Hub

Obviously, zero day vulnerabilities are a problem, in particular when an exploit is publicly available as in this case. By definition, no patch exists for zero day vulnerabilities, and the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble. A vulnerability in a component as popular as Struts creates a very target-rich environment for attackers with exploits already reported to be in the wild.

Fortunately, the community was quick to create, test, and release a patch. Unfortunately, it is likely that this vulnerability will cause problems for years to come. Black Duck’s 2016 on-demand audit report showed the average age of vulnerabilities in open source used in commercial applications was over five years old, and over 10% still were vulnerable to Heartbleed. 

This is evidence that even well publicized vulnerabilities are not being addressed. As to this issue, last year we found Apache Struts in over 10% of the applications we tested. When Struts was used, almost 20% of the time we found multiple versions of Struts in a single application, and almost 10% had three or more versions, further complicating remediation for a vulnerability like this. Unless organizations are diligent about tracking the open source they are using, and vulnerabilities as they are disclosed, these issues don’t get addressed.

Request a Live Demo

 

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

HIPAA Compliance for the Software You Build

| Jul 11, 2017

Attacks on electronic health records (EHRs), ransomware blocking access to treatment in the UK’s National Health System, and vulnerabilities in medical devices have all been in the news recently. Settlements and penalties for HIPAA violations are becoming more common as well. For software and

| MORE >

6 Recommendations for Healthcare Cybersecurity

| Jun 12, 2017

Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity. While non-binding

| MORE >

Are Medical Devices the Next Ransomware Target?

| Jun 5, 2017

Hacker News’ top story today was on vulnerabilities found in implantable pacemakers. It’s a troubling thought, particularly in conjunction with the recent (and preventable) ransomware attacks. What would you pay to unlock your pacemaker? Is it a real risk?  Fans of Showtime’s Homeland would tell

| MORE >