The unfolding of the Equifax breach shows that the attack started around two months after a patch for the Apache Struts2 vulnerability was available. That means the vulnerability could have been eliminated long before the attack. It took Equifax another five weeks to disclose the hack after it was discovered. Company stock plummeted after the breach was announced. The company is not just facing its customers’ wrath, but is also under an FTC investigation.
What is Apache Struts 2?
Hackers were able to take advantage of CVE-2017-5638 in Struts 2 in order to steal confidential information. Struts 2 is an Apache 2.0 licensed java web framework used to build large-scale web applications. It is commonly used in government, financial, health and large enterprise applications. While Apache Struts 2 is in the news, the vulnerability was the result of the unsafe use of the embedded OGNL library. A defect related to OGNL parsing error messages was exploited in the default Struts 2 file up load functionality. This component was used in an Equifax application, and was exploited to breach data of an estimated 143 million people.
How can you avoid the risk of exploitation of known vulnerabilities?
You are probably putting out fires now, trying to find and fix any vulnerable instances of Apache Struts2. But it is becoming increasingly urgent that we move beyond dealing with the consequences of exploitation, to focus on how to embed security policies and practices into your operational processes with the objective of reducing the window of opportunity for hackers. This is the only way to avoid leaving unpatched software out there for hackers to exploit.
For Engineers and Developers:
Document and track the security status of the open/source components in all the applications you develop in-house.
Flexera’s Software Composition Analysis platform scans your software and matches it against 12.9 million open source libraries. Additionally, source code fingerprint technology enables identification of copied source code that ends up shipping in your code.
If a breach occurs, it is important to figure out how it happened – and if there are multiple bugs that may allow a hacker continued access. Unpatched systems often have multiple vulnerabilities that allow access from different points in your code. Don’t fix one just to be left open to the next.
For in-house and custom developed software you should you ask these questions:
- Which open source libraries and third party content is being used?
- Are you aware of any instance of copied source code being used in your products?
- If there is a data breach, would you be able to identify all instances of this vulnerable code?
- Are your developers trained on component selection based on known vulnerabilities?
For System Administrators, IT Security and Operations:
Know which applications and systems you have. Use vulnerability intelligence to determine the security status and prioritize remediation. Integrate security and operations to streamline processes and reduce risk effectively.
We enable SecOps initiatives by providing verified intelligence, timely vulnerability advisories, accurate assessment and security patches. Implement vulnerability management policies and workflows. Continuously track, identify and remediate vulnerable applications — before exploitation leads to costly breaches.
Flexera’s Software Vulnerability Manager delivers vulnerability intelligence, assessment and remediation.
- Track vulnerability intelligence to mitigate the risk of exploitation.
- Continuously assess exposure to more than 20,000 vulnerable applications.
- Report on remediation processes from end to end to ensure SLAs are met.
At Flexera we’re reimagining the way software is bought, sold, managed and secured. Get the facts on Apache Struts2
Timothy Davis is a Senior Product Marketing Manager at Flexera Software, and has worked in global marketing at high-tech firms such as BMC Software, VeriSign, McAfee, and Lotus. With over 25 years of experience in enterprise software, he has gained a deep understanding of the business challenges faced by IT organizations in enterprises of all sizes. Specializing in IT Service Management and Operations, Tim develops content that translates product features into real business benefits that help IT leaders learn about new and developing technologies that drive IT efficiency and improve customer satisfaction.