Critical Flaw in Apache Struts Exposes Businesses to Cyberattack

A critical flaw in Apache Struts, an open source tool used by many businesses in creating web applications, has recently been uncovered by a cybersecurity researcher at Semmle.

What Is Apache Struts?

Apache Struts is a popular open source tool for creating web applications. According to Apache Software Foundation, the non-profit organization that oversees Apache Struts projects, most organizations – including the Fortune 100 companies – are using Apache Struts for their enterprise web applications.

Latest Security Vulnerability in Apache Struts

The latest security vulnerability uncovered by Semmle researcher Man Yue Mo in Apache Struts can provide an attacker an entry point in corporate networks.

“This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,” Mo said. “On top of that, the weakness is related to the Struts OGNL [Object Graph Navigation Language] language, which hackers are very familiar with, and are known to have been exploited in the past.”

In the recently uncovered security flaw in Apache Struts, the attacker doesn’t need any existing privileges to launch an attack against web applications using Struts as these are often facing the public internet.

Once an attacker enters a corporate network via a vulnerable web application using Struts, the attacker can do remote code execution, which means that an attacker can do anything in the network, including data theft. 

According to Semmle, it’s easy for an attacker to determine whether a web application using Struts is vulnerable to this latest Apache Struts vulnerability as “it is likely that dedicated scanning tools will be available soon.” Dedicated scanning tools enable attackers to automate the process of identifying vulnerable web applications.

Mo privately informed the Security Team of the Apache Software Foundation about the security vulnerability on April 10, 2018. The Apache Struts Security Team published the code change that fixes the said vulnerability on June 25, 2018, and on August 22, 2018, the team released new versions of Apache Struts: version 2.3.35and version 2.5.17, fixing the security vulnerability uncovered by Mo of Semmle.

Past Security Vulnerabilities in Apache Struts

Apache Struts has been exploited by cyberattackers in the past. The most popular exploit in Apache Struts in recent memory was that of the cyberattack in consumer credit reporting agency Equifax. 

On September 7, 2017, Equifax announced that attackers were able to access personally identifiable information of nearly 143 millions of its U.S. consumers. The company said the attackers “exploited a U.S. website application vulnerability to gain access to certain files.”

The Equifax data breach is proving to be the most expensive data breach in corporate history. In a conference callin March this year, the company said that the expected breach-related cost through the end of this year is $439 million. 

On September 13, 2017, Equifax identified the security vulnerability that was exploited by attackers as CVE-2017-5638.

Similar to the latest Apache Struts vulnerability uncovered by Mo (designated as vulnerability CVE-2018-11776), the vulnerability CVE-2017-5638 used in Equifax cyberattack exploited the OGNL in Struts. According to Trend Micro, the use of OGNL makes it easy for attackers to execute malicious code remotely as Struts uses it for most of its processes.

The Apache Software Foundation released a security update or patch of the vulnerability CVE-2017-5638on March 7, 2017. “In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” Apache Software Foundation said.

On March 9, 2017, two days after the patch for CVE-2017-5638 was released, Trend Micro reported that an exploit for this vulnerability had been reported to be already in the wild.

Goldman Sachs-backed cybersecurity startup Sonatype told Fortune in May this year that 10,801 organizations, including 57% of the Fortune Global 100 companies, continue to download the known-to-be-vulnerable versions of Apache Struts.

Prevention

The widespread use of Apache Struts means that any security vulnerability in this web application tool poses a threat to many organizations.

According to Apache Software Foundation, the temporal fix for the latest Struts vulnerability is to “Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.”

Semmle, however, said that even if the current web application currently isn’t vulnerable, a change to a Struts configuration file may render the web application vulnerable in the future.

It’s, therefore, important to install any of the fixes to this latest Struts vulnerability (Apache Struts version 2.3.35 or version 2.5.17) as soon as possible as these fixes also contain critical overall proactive security improvements.

As general advice to businesses using Apache Struts, the Apache Software Foundationissued these three general guidelines following the Equifax cyberattack:

1. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

2. Any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

3. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.”

Your infrastructure and data are precious. When you need help protecting it, turn to our expert team. Call today for a free consultation (416) 920-3000