"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

"This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises." Oege de Moor, CEO and founder of Semmle.

Dozens of Fortune 100 companies are at risk after security researchers at lgtm.com discovered a critical Apache Struts security flaw (CVE-2017-9805) that is "easy" to hack (Rapid7 and Tenable have released plug-ins to detect and exploit the vulnerability just one day after the disclosure). This security flaw, which affects open source server software, serves as yet another reminder to have full visibility over all components used in your software.

Who Uses Struts?

Lockheed Martin, the IRS, and Virgin Atlantic have all previously developed applications using the affected Struts framework. This showcases that the risk transcends our defense, financial, and transportation industries, and has the potential to have damaging outcomes for the large number of websites that use the framework.

Organizations that have not kept an accurate list of all components used within each application are forced to scan their entire environment if a vulnerability is announced. Using a vulnerability assessment tool, such as those developed by Tenable or Rapid7, to identify vulnerable versions of Struts can take days, as it did for many organizations when Heartbleed was disclosed. Meanwhile, vulnerabilities are left susceptible in the interim.

Learn Your 4 Options for Vulnerability Remediation

Fire Drill to Find Vulnerable Components

This fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used. Additionally, these tools only have plug-ins for a handful of the vulnerabilities reported in open source components each year. Companies that rely solely on the tools are blind to the thousands of vulnerabilities in open source each year for which plug-ins aren’t built.

There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago. It's called a bill of materials; a detailed listing for all parts used in a vehicle. When a recall is issued for a part such as an airbag, the OEMs don't have to scan every vehicle manufactured to discover which ones are using the defective part. Through the bill of materials, they know precisely which vehicles are affected, down to the VIN.

Doing the same with software — maintaining an accurate list of all components used in each application  makes incident response much easier when vulnerabilities like this are disclosed. While a software bill of material won't tell you whether or not the vulnerabilities are exploitable  you still need Tenable or Rapid7 for that  it will allow you to quickly know which applications are potentially vulnerable and save your security team hours or days of assessment time.

For now, if you don't need REST remove the plug-in. As soon as possible, users are advised to update the components of Apache Struts to versions 2.3.34 and 2.5.13, per the lgtm security team.

Learn about Hub Detect, a new open source discovery tool

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Now It’s Personal – 4 Takeaways From the Equifax Breach

| Sep 18, 2017

If you’re reading this, you have no doubt heard that personal information, including social security numbers, was stolen from Equifax – one of the Big 3 credit reporting agencies. From an industry standpoint, here’s a quick takeaway. Wait – For Once It Could Affect Me? For a lot of breaches, the

| MORE >

Critical Vulnerability CVE-2017-5638 Attacks Escalating

| Sep 14, 2017

 Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it

| MORE >