The Apache Struts framework has been exposed as a security breach in the wake of reports that hackers stole the personal details of 143 million Americans from Equifax.
Struts is an open source MVC framework for creating Java-based Web applications. It was almost the universal choice for Java Web application development, and is still widely used throughout the industry, especially for legacy applications in the enterprise.
The Apache Software Foundation, which manages the framework, issued a statement in response.
Equifax believes the killer was CVE-2017-5638
Initial media reports suggested the bug may have been caused by an undisclosed flaw in Struts. However, Equifax has identified the Struts vulnerability used in the attack as CVE-2017-5638, which was already public.
Cve-2017-5638 is an RCE remote code execution vulnerability. It was first discovered by Nike Zheng of Anheng Information and reported on March 7. The bug was officially classified as serious, and Apache released a new Version of Struts to fix it on the same day it was disclosed.
But Equifax failed to fix the vulnerability for two months, allowing hackers to exploit the vulnerability and leak sensitive data from May until the issue came to light in July.
The vulnerability is in the Jakarta Multipart parser and existed in versions prior to 2.3.32 for Version 2.3 of Apache Struts 2; For Struts 2 version 2.5, it exists in versions prior to 2.5.10.1.
During that time, the attackers had accessed a number of customers’ personal data, including social Security numbers, dates of birth and addresses. The credit card numbers of 209,000 customers were accessed and the personal data of an unknown number of UK and Canadian residents was also compromised.
The incident, which sent Equifax’s share price down nearly 14% on Wall Street, came as the BBC reported that two US congressional committees would hold hearings into the data breach. In addition, state attorneys general in New York, Illinois, Massachusetts, Connecticut and Pennsylvania will conduct their own investigations into the incident.
Apache Foundation response
The Apache Software Foundation’s Project Management Committee responded to Equifax’s statement in the press with a number of comments.
First of all, it is still not clear that the source of leakage is really caused by the Struts vulnerability. Second, if it did stem from a Struts vulnerability, then “either the Equifax server was unpatched, allowing some of the earlier published vulnerabilities to be exploited by an attacker, or the attacker took advantage of a hitherto undiscovered vulnerability”.
Presumably, the statement suggests that the software vulnerability used by the hackers could be THE CVE-2017-9805 vulnerability, which was made public on Sept. 5 (more on that below), a month after Equifax discovered the breach.
The statement also lists some software engineering principles. If these principles were followed by all developers using open or private software libraries, it would “help prevent the recurrence of the unfortunate breach experienced by Equifax”.
Cve-2017-9805 or the real killer
In early September, Struts issued two consecutive security bulletins. The first security bulletin was issued on September 5 and covered three vulnerabilities, CVE-2017-9804, CVE-2017-9805 and CVE-2017-9793.
Cve-2017-9805 is classified as critical. Based on version iteration history, the vulnerability is nine years old but has only recently been discovered, meaning that all versions of Struts2 since 2008 are affected and users need to upgrade as soon as possible. According to a response from the Apache Foundation, it is speculated that the software vulnerability used by Equifax hackers may be CVE-2017-9805, not CVE-2017-5638 as Equifax indicated.
Simply put, the vulnerability is caused by Struts2’s REST plug-in, which has a deserialization vulnerability in its XStream component, but Struts2 uses XStreamHandler with an XStream instance for deserialization without any type filtering.
The second security bulletin was issued on 7 September and involved the vulnerability CVE-2017-12611. The vulnerability was rated as medium and was caused by the Freemarker tag, Using request values when using expression constants or mandatory expressions in Freemarker tags can lead to remote code execution vulnerabilities. One of the authors of the report on the vulnerability is Lupin, from JD’s security team.
As a result of these vulnerabilities, Cisco issued two security advisories in a row last week and began a security review of its major products.
About 65% of fortune 100 companies use Struts as their infrastructure, including the IRS, Citigroup, Equifax, and others.
According to the data of Green Alliance Technology Threat Intelligence Center, China is one of the countries that use the Struts framework the most in the world. Even in July this year, the national Information security Vulnerability sharing platform also issued a security notice on Apache Struts2 high-risk vulnerability management and emergency work.
Today’s recommendation,
Click on the image below to read it
How to ensure data consistency in microservices architecture
How Does Google build chatbots with AI? How Did Pinterest get 200 million active users using machine learning? In QCon Shanghai in October, top technical experts from Uber, Paypal, LinkedIn, Airbnb and other companies came to share cutting-edge practical experience.
QCon registration is about to end, please identify the following QR code or click [Read the text] to be close to 100+ domestic and foreign technology giants. If you have any questions, please contact Hanna, ticket Manager, tel: 15110019061, wechat: QCON-0410.
