A High rated vulnerability was discovered in the Struts framework a month or so ago. All versions of Struts from 2 to 18.104.22.168 are vulnerable According to the Struts team the vulnerability :
- "allows a malicious user to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation."
A few questions:
- Is your company vulnerable?
- Would you even know if you are vulnerable?
- Do you even know if your company is using Struts?
The fix is pure and simple - Upgrade to Struts 22.214.171.124
But then to quote Oscar Wilde:
"The truth is rarely pure and never simple. "
The problem is that there are huge numbers of applications running vulnerable versions of Struts which are unlikely to have been patched with the new version. This could be because companies neither know about the vulnerability nor know that their online applications are using Struts. In many cases the applications have been in production for a few years and the development teams have long since moved on.
While the applications may have been secure at launch, the discovery of the Struts vulnerability now means that these applications are vulnerable. This could well mean that a company is no longer PCI DSS compliant.
While the Simple Fix above is simple, the reality is that it won't be applied because organizations do not know that they are vulnerable.
This is especially a problem with open-source type libraries and frameworks. There is no standard mechanism for publishing information on vulnerabilities. They fall between the cracks. Operations staff are usually aware of OS type vulnerabilities, but not of these types of application frameworks or libraries.
A joint study conducted by Sonatype and Aspect Security found that more than 50 percent of the world’s largest corporations have open source applications with security vulnerabilities.
The real fix lies in having a proper Secure Development Life Cycle in place - in particular a post-production process for identifying newly discovered security vulnerabilities and ensuring that appropriate security fixes are applied.
So here are suggested steps:
- When a new application is being rolled out to production, make sure that it is registered with the corporate Asset Register. This should include information about any frameworks, libraries etc. that the application relies on.
- The operational risk team should monitor for any vulnerabilities in the libraries and frameworks.
- If vulnerabilities are discovered, the operational risk team can look in the corporate Asset Register to identify any impacted applications
- Appropriate fixes can then be applied
- Details on Apache Struts Website
- Compass Security Movie - Tutorial
- Struts 126.96.36.199.
- Sonatype and Aspect Security Study on use of vulnerable Open Source Components
- Oscar Wilde Quote