The just-patched remote code execution flaw in the Apache Struts web application framework has security professionals worried over the prospect of another Equifax-like data breach. Along with patching, organizations should be beefing up their incident response plans.
The open source framework is widely-used to develop Java applications, especially publicly-accessible customer-facing web applications. This means vulnerable systems can be easily found using publicly-available scanning tools such as Shodan and Censys. Attackers are highly motivated to develop a working exploit for Struts vulnerabilities as soon as possible because so many organizations rely on the framework and they typically do not need existing privileges to the affected applications to execute malicious code that can take complete control of the system.
Pavel Avgustinov, vice-president of QL Engineering at security startup Semmle, said waiting to apply the patches “is to take an irresponsible risk,” because in the past, similar critical vulnerabilities in Struts had exploits published within days of being publicized. The Equifax breach, which exposed information belonging to 147 million consumers last year, was traced back to the fact that the credit rating agency’s servers had not been updated to address a vulnerability (CVE-2017-5638) in Struts that had been fixed back in March. The proof-of-concept code for that flaw appeared on a Chinese-language exploit site within 24 hours, according to Cisco Talos.
Man Yue Mo, the security researcher at Semmle who found the vulnerability and reported it to the Apache Software Foundation in April, said the latest vulnerability (CVE-2018-11776) was “more critical” than the critical bug fixed(CVE-2017-9805) last September.
What to Patch
Organizations using Struts 2.3 should upgrade to 2.3.35 and Struts 2.5 should upgrade to 2.5.17. Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and unsupported, older, versions of the framework are all affected. Because the issue resides in the core of Apache Struts, it doesn’t matter what additional plugins may or may not be in use.
Releasing the software update is just the beginning of a time-consuming and resource-intensive process. Before the organization can deploy the new version to all affected applications, the patch needs to be tested to ensure it won’t adversely impact existing architecture and configuration. The organization also has to know which of its applications have the affected Struts component, which is a hard question to answer. When serious vulnerabilities are announced, the clock begins ticking on how quickly the organization can assess their exposure and get the necessary fixes in place.
“Framework vulnerabilities, in general, are a serious source of supply-chain risk to organizations who do any kind of in-house development,” said Chad Loder, CEO and founder of Habitu8, a company specializing in security awareness programs.
Struts components can also be found in many commercial products. Cisco released an advisory stating that it was checking its portfolio to see if products such as Cisco Data Center Network Manager, Cisco Identity Services Engine (ISE), the Prime Service Catalog Virtual Appliance, and the Unified SIP Proxy Software, were affected.
The hours/days it can take to assess exposure can mean the difference between being breached and no.
Oracle released an out-of-band update last September instead of waiting for its normal update release to address Struts vulnerabilities in a number of its products, including the MySQL Enterprise Monitor, Communications Policy Management, Siebel, WebLogic Server, and various financial services and insurance applications.
Oracle did not respond to a request asking if its products were affected by the latest vulnerability and what the plans were for possible updates. Oracle’s next quarterly patch update is scheduled for Oct. 16.
“Between the time it takes for Oracle to release a patch to the time it takes to bring down and apply the patch to a critical business application could be days or even weeks,” Loder said. “Mere availability of a patch doesn’t protect you.”
The good news is that there are things that can “buy the organization more time” while preparing the update, such as creating new rules for the web application firewall to block attacks or putting the affected application behind a VPN or some other barrier so that it isn’t readily accessible from the Internet. Loder said WAFs, especially SaaS-based offerings from Cloudflare and Fastly, can be “really handy.”
In the most extreme case, the organization may decide to temporarily take the application offline until the updates are complete.
Assessing the exposure and mitigating the risks should be part of incident response. Security and development teams should have a preplanned response for dealing with vulnerabilities so that they’re not caught flat-footed when these advisories are made public.
“The hours/days it can take to assess exposure can mean the difference between being breached and not,” Loder said.
“Given that modern applications are often a combination of custom code, open source components and third-party libraries, any open source governance strategy which covers all these scenarios is best,” said Synopsys technology evangelist Tim Mackey. Synopsys offers BlackDuck, a source code management platform.
Mere availability of a patch doesn’t protect you.
Security teams can also use the same public scanners to find which systems are vulnerable and Internet-facing. Robert Hansen said BitDiscovery, a new company he recently launched with Jeremiah Grossman, is addressing the challenge of “trying to understand what you’re really vulnerable to and what you really own.”
“Bit Discovery would say, hey, here are the 400 subdomains that claim to be running Struts across all your domains across all IP space without having to keep track of which IPs you run things on, since lots of people use shared hosting or cloud providers, or have marketing sites pop up,” Hansen said.
The tricky part about this flaw is that even if an application is currently not vulnerable because of the way Struts is currently configured, "an inadvertent change to a Struts configuration file may render the application vulnerable in the future,” Semmle said. So whether it’s migrating applications off Struts, deploying defensive WAF rules, or speeding up patch testing and deployment, something needs to be done. Inaction is a risk.
“Major, critical Struts vulnerabilities seem to come out roughly once per year. You don't want to have to start from square one when someone in the org asks ‘Hey, are we vulnerable to this?’” Loder said.