How to Protect Yourself from the Struts Vulnerability
It has recently been discovered that a vulnerability in Apache Struts may have left many organizations open to cyberattack. Struts is an application used by many companies to create their web based programs. The vulnerability, which was discovered by Semmle researcher Man Yue Mo allows for cyberattackers to gain access to a corporate network through a security hole present within Struts web applications. Once they gain access to the network, attackers then have the ability to execute any code from a remote location.
Semmle researchers believe that it is only a matter of time before attackers will be able to completely automate process of identifying web-applications using Struts. The results of this will be devastating, with thousands of organizations becoming compromised in a short period of time.
Fortunately, Man Yue Ho reported the vulnerability to the Apache software team April of this year, and the developer has since released numerous patches repairing the security flaws. These were version 2.3.35 released on June 25th 2018, and version 2.5.17 released on August 22nd 2018. These updates repaired the vulnerability (named CVE-2018-11776), and should already be applied to your software. However, it is important to ensure that your web application is running the latest version if your update protocols are set to manual.
Apache Struts has had previous cyber-vulnerability incidents, one of the most recent ones being the Equifax attack on September 7th 2017 when attackers exploited another flaw in a web application’s code. The Global-Information Company reported that the sensitive data of over 140 million U.S. customers were compromised, and that the financial damages due to the incident were a devastating $439 million.
In their own defense, Apache released a statement noting that a patch fixing the vulnerability had in fact been released March 7th that year, making the incident a result of the Equifax neglecting to keep their software up-to-date.
Unfortunately, they are not the only company who are behind in cybersecurity measures. Sonatype recently conducted a study that found that 10,801 organizations are still downloading outdated versions of Apache Struts, making their networks vulnerable to the exploit.
Both the Equifax attack and the vulnerability discovered by Man Yue Mo are related to the fact that Struts uses a language known as OGNL (Object Graph Navigation Language), which is historically known to be extremely exploitable for attackers.
Protective Measures to Consider
If your organization is currently running web applications using Apache Struts, follow these best practices provided by the Apache Software Foundation to protect yourself from cyberattack.
First, always ensures that you are running the latest version of Struts. At the time of this article (August 27th 2018), this is version 2.5.17. It is important to establish update cycles operating on a days and weeks timeline, instead of months. As shown by the Equifax attack, failure to update your software can lead to devastating financial impacts to your organization.
Next, never assume that web application software will not contain security flaws, and build your security measures around the premise that all software will contain vulnerabilities. Build your security strategies using layers, ensuring that sensitive data is locked behind numerous walls of protection.
Finally, Apache Software Foundation has also provided the following temporary fix to the vulnerability discovered by Mo. However, they warn that making changes to the application’s config file may result in further unpredictable vulnerabilities in the future, so use this strategy at your own risk:
1) Ensure that you have set “namespace” for defined results in underlying configurations.
2) Ensure that “value” and “action” for all url tags in your JSPs.
GigE IT Solutions can help you and your organization keep its data safe from cyberattackers. Contact us at +1 888 366 4443 to get started today. GIGE can help you backup your data and protect it from cyberattacks.