"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

"This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises." Oege de Moor, CEO and founder of Semmle.

Dozens of Fortune 100 companies are at risk after security researchers at lgtm.com discovered a critical Apache Struts security flaw (CVE-2017-9805) that is "easy" to hack (Rapid7 and Tenable have released plug-ins to detect and exploit the vulnerability just one day after the disclosure). This security flaw, which affects open source server software, serves as yet another reminder to have full visibility over all components used in your software.

Who Uses Struts?

Lockheed Martin, the IRS, and Virgin Atlantic have all previously developed applications using the affected Struts framework. This showcases that the risk transcends our defense, financial, and transportation industries, and has the potential to have damaging outcomes for the large number of websites that use the framework.

Organizations that have not kept an accurate list of all components used within each application are forced to scan their entire environment if a vulnerability is announced. Using a vulnerability assessment tool, such as those developed by Tenable or Rapid7, to identify vulnerable versions of Struts can take days, as it did for many organizations when Heartbleed was disclosed. Meanwhile, vulnerabilities are left susceptible in the interim.


Equifax & Apache Struts Vulnerability CVE-2017-5638: A Five year Timeline From Bug To Breach

Fire Drill to Find Vulnerable Components

This fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used. Additionally, these tools only have plug-ins for a handful of the vulnerabilities reported in open source components each year. Companies that rely solely on the tools are blind to the thousands of vulnerabilities in open source each year for which plug-ins aren’t built.

There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago. It's called a bill of materials; a detailed listing for all parts used in a vehicle. When a recall is issued for a part such as an airbag, the OEMs don't have to scan every vehicle manufactured to discover which ones are using the defective part. Through the bill of materials, they know precisely which vehicles are affected, down to the VIN.

Doing the same with software — maintaining an accurate list of all components used in each application  makes incident response much easier when vulnerabilities like this are disclosed. While a software bill of material won't tell you whether or not the vulnerabilities are exploitable  you still need Tenable or Rapid7 for that  it will allow you to quickly know which applications are potentially vulnerable and save your security team hours or days of assessment time.

For now, if you don't need REST remove the plug-in. As soon as possible, users are advised to update the components of Apache Struts to versions 2.3.34 and 2.5.13, per the lgtm security team.

Webinar: The Basics of Open Source Security

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


What's Happening with the National Vulnerability Database?

| Feb 20, 2018

The image below is what you saw if you search the National Vulnerability Database (NVD) on February 16. As you can see, vulnerabilities are being added on a daily basis. The far right column, however, is blank. None of the vulnerabilities are being scored using NIST’s Common Vulnerability Scoring

| MORE >

4 Key Questions (and Answers) for Automotive Cybersecurity

| Jan 18, 2018

“Car hacking” is interesting to talk about, and has the potential to greatly upset our lives.  If hackers learn of a way to disrupt travel by modifying navigational aids or disabling vehicle to vehicle communications, the disruption to our lives and economy would be tremendous.  Automotive

| MORE >

Why Patch? Zealot Exploits Known Vulnerabilities

| Dec 21, 2017

We all remember CVE-2017-5638, the vulnerability in Apache Struts that was publicly disclosed on March 6, 2017. It's the remote code execution vulnerability Equifax didn't patch for, leading to the massive data breach earlier this year. Now network security vendor F5 discovered a new attack and

| MORE >