Critical Vulnerability CVE-2017-5638 Attacks Escalating

Critical Vulnerability CVE-2017-5638 Attacks Escalating

 Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it on Struts implementations that don't have the update installed yet. There are (at least) two working exploits publicly available, making it relatively simple to take control of web servers in a wide variety of industries.

While NIST has only had a placeholder for the CVE-2017-5638 vulnerability, we have been reporting on it to customers who have used this component since Monday (the same day the patch was released), through our Enhanced Vulnerability Data (EVD). 

Apache Struts 2 Vulnerability Data in Hub

Obviously, zero day vulnerabilities are a problem, in particular when an exploit is publicly available as in this case. By definition, no patch exists for zero day vulnerabilities, and the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble. A vulnerability in a component as popular as Struts creates a very target-rich environment for attackers with exploits already reported to be in the wild.

Fortunately, the community was quick to create, test, and release a patch. Unfortunately, it is likely that this vulnerability will cause problems for years to come. Black Duck’s 2016 on-demand audit report showed the average age of vulnerabilities in open source used in commercial applications was over five years old, and over 10% still were vulnerable to Heartbleed. 

This is evidence that even well publicized vulnerabilities are not being addressed. As to this issue, last year we found Apache Struts in over 10% of the applications we tested. When Struts was used, almost 20% of the time we found multiple versions of Struts in a single application, and almost 10% had three or more versions, further complicating remediation for a vulnerability like this. Unless organizations are diligent about tracking the open source they are using, and vulnerabilities as they are disclosed, these issues don’t get addressed.

Request a Live Demo

 

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

4 Risks in Connected Cars

| May 25, 2017

Black Duck held its inaugural European user conference this month in Amsterdam. Turnout was great, with almost 100 representatives from European businesses attending our training and presentations. I was privileged to lead a panel discussion on the security implications of open source in the

| MORE >

Commercial Application Security: 6 Facts You Didn't Know

| May 4, 2017

Many people know Black Duck from our security and software license compliance business. However, we also have a very strong On-Demand business. Our On-Demand business performs one-time audits of software, typically as part of due diligence in an M&A transaction. In these engagements, the entities

| MORE >

Open Web Application Security Project Updated Top 10

| May 3, 2017

Late last month, the Open Web Application Security Project (OWASP) published a release candidate for the new OWASP Top 10 (T10).  I want to take a look at what has remained and what has changed since the last version. First of all, hats off to OWASP. They do a great job with their many projects

| MORE >