"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

"This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises." Oege de Moor, CEO and founder of Semmle.

Dozens of Fortune 100 companies are at risk after security researchers at lgtm.com discovered a critical Apache Struts security flaw (CVE-2017-9805) that is "easy" to hack (Rapid7 and Tenable have released plug-ins to detect and exploit the vulnerability just one day after the disclosure). This security flaw, which affects open source server software, serves as yet another reminder to have full visibility over all components used in your software.

Who Uses Struts?

Lockheed Martin, the IRS, and Virgin Atlantic have all previously developed applications using the affected Struts framework. This showcases that the risk transcends our defense, financial, and transportation industries, and has the potential to have damaging outcomes for the large number of websites that use the framework.

Organizations that have not kept an accurate list of all components used within each application are forced to scan their entire environment if a vulnerability is announced. Using a vulnerability assessment tool, such as those developed by Tenable or Rapid7, to identify vulnerable versions of Struts can take days, as it did for many organizations when Heartbleed was disclosed. Meanwhile, vulnerabilities are left susceptible in the interim.


Threat Check for Struts

Fire Drill to Find Vulnerable Components

This fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used. Additionally, these tools only have plug-ins for a handful of the vulnerabilities reported in open source components each year. Companies that rely solely on the tools are blind to the thousands of vulnerabilities in open source each year for which plug-ins aren’t built.

There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago. It's called a bill of materials; a detailed listing for all parts used in a vehicle. When a recall is issued for a part such as an airbag, the OEMs don't have to scan every vehicle manufactured to discover which ones are using the defective part. Through the bill of materials, they know precisely which vehicles are affected, down to the VIN.

Doing the same with software — maintaining an accurate list of all components used in each application  makes incident response much easier when vulnerabilities like this are disclosed. While a software bill of material won't tell you whether or not the vulnerabilities are exploitable  you still need Tenable or Rapid7 for that  it will allow you to quickly know which applications are potentially vulnerable and save your security team hours or days of assessment time.

For now, if you don't need REST remove the plug-in. As soon as possible, users are advised to update the components of Apache Struts to versions 2.3.34 and 2.5.13, per the lgtm security team.

Webinar: The Basics of Open Source Security

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Hustling and Hacking Lessons from Paul Newman

| Oct 18, 2017

Was Equifax First Hit with a Non-Targeted Attack? The details of the Equifax breach will unfold slowly over the next several weeks and months. One interesting detail came out recently when the company reported that “an actor interacted with our server on March 10, 2017.” That’s four days after the

| MORE >

Nessus, Qualys, Metasploit for Struts Vulnerabilities?

| Sep 26, 2017

The Equifax breach has brought Remote Code Execution (RCE) vulnerabilities in Struts into the spotlight. Nobody wants to be the “next Equifax,” much less the company leadership “retiring” or answering questions from Congress. Right now, a lot of security people are running around with their hair

| MORE >

Now It’s Personal – 4 Takeaways From the Equifax Breach

| Sep 18, 2017

If you’re reading this, you have no doubt heard that personal information, including social security numbers, was stolen from Equifax – one of the Big 3 credit reporting agencies. From an industry standpoint, here’s a quick takeaway. Wait – For Once It Could Affect Me? For a lot of breaches, the

| MORE >