Critical Vulnerability in Apache Struts Affects thousands of Enterprise Applications
On September 5th 2017, security researchers lgtm.com disclosed a vulnerability in the popular Apache Struts framework. This vulnerability is likely to have a strong and lasting impact on attack patterns over the coming months and years. In this briefing, we will have a look at why.
Why does this matter?
Struts is a framework to create Java applications. Frameworks are used to simplify the development of custom applications. A vulnerability in a framework thus means that hundreds or thousands of custom applications suddenly become vulnerable to attack. Depending on the size of the team behind an application it could take anywhere from minutes to years until such vulnerabilities are adequately recognized and addressed.
The vulnerability in question is severe. It allows attackers to execute arbitrary code on the affected systems. The bug exists in the very popular “REST” plugin. While this means not all applications based on Struts are vulnerable, a significant portion of them will be.
Furthermore, Struts is extremely popular with large corporate entities. This means that many of the now vulnerable applications will be of high value to attackers. As expected, hackers were thus very quick to develop and sell working exploits for the vulnerability.
These exploits in turn allow even less skilled attackers to cause significant damage to large corporate entities.
How can I protect myself?
In a first step, verify if any of the applications in your organization rely on Struts. Such information may be gathered from internal IT asset databases. If such databases do not exist, checking with every development team is likely the only reliable way to gather the information.
If projects using Struts are found, they must be upgraded to version 2.3.34 or 2.5.13 as quickly as possible. This should happen regardless of wether the REST plugin is used or not.
In projects where the REST plugin is used, taking the affected applications offline until the upgrade can be completed may be a reasonable security precaution for many enterprises.
How could this have been prevented?
Unlike many other frameworks, Struts has a decent security record. This highlights a larger problem. Over the long term, security vulnerabilities will be found in virtually all frameworks. Using them, thus will at some point expose applications to attacks.
At the same time, developing a complex application without any frameworks is almost impossible and will likely lead to significantly more vulnerabilities being accidentally developed.
The best defense is the regular monitoring of CVEs (vulnerability information releases) for all frameworks used in the organization.