Subscribe

5 steps to reduce open source vulnerability risk

By Marilyn de Villiers
Johannesburg, 11 Sept 2017

There are several steps organisations can take to help reduce the risk of attack similar to that at the US-based credit reporting agency Equifax last week, according to Ren'e Gielen, Vice President of the Apache Struts Project Management Committee at the Apache Software Foundation.

The breach, which resulted in sensitive, personal information of thousands of Americans and Canadians landing up in the hands of cyber criminals, was said to be the result of hackers exploiting a vulnerability in Apache Struts, a popular open-source framework for developing Web applications in the Java programming language.

However, Gielen said that the Equifax breach may, or may not, have been a result of the latest vulnerability in Apache Struts, designated CVE-2017-9805, which had been detected two days before the announcement of the Equifax incident.

"What we saw (at Equifax) is common software engineering business - people write code for achieving a desired function, but may not be aware of undesired side-effects," Gielen said.

"Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It's probably fair to say that we met this goal pretty well in case of CVE-2017-9805."

Gielen provided the following general advice to businesses and individuals utilising Apache Struts as well as any other open or closed source supporting library in their software products and services:

Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting these products and versions.

Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries have to be updated for security reasons. Do this within hours or a few days, not weeks or months. Most breaches are caused by failure to update software components that are known to be vulnerable for months or even years.

Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.

Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. This type of monitoring is good operations practice for business-critical Web-based services.

"Once followed, these recommendations help to prevent breaches such as that unfortunately experienced by Equifax," Gielen concluded.

Software vulnerability discovered in Apache Struts

Security researchers at Igtm, who provide free software engineering analytics for open-source projects, have discovered a critical remote code execution vulnerability in Apache Struts - a popular open-source framework for developing Web applications in the Java programming language. All versions of Struts since 2008 are affected; all Web applications using the framework's popular REST plugin are vulnerable. Shortly after the patched versions of Struts were released on 5 September, multiple working exploits were observed on various Internet sites. Users are strongly advised to upgrade their Apache Struts components as a matter of urgency. This vulnerability has been addressed in Struts versions 2.3.34 and 2.5.13.

Man Yue Mo, one of the lgtm security researchers who discovered this vulnerability, confirms the criticality: The Struts framework is used by an incredibly large number and variety of organisations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible Web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in Internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a Web browser. Organisations who use Struts should upgrade their components immediately.

The credit reporting agency Equifax announced on 7 September that hackers stole records containing personal information on up to 143 million American consumers. The hackers behind the attack, the company said, "exploited a US Web site application vulnerability to gain access to certain files".

That vulnerability, according to a report on the data breach by William Baird & Co, was in a popular open-source software package called Apache Struts, which is a programming framework for building Web applications in Java.

A huge security breach at credit reporting company Equifax has exposed sensitive information, such as social security numbers and addresses, of up to 143 million Americans.

The data breach is among the worst ever because of the amount of people affected and the sensitive type of information exposed.

Credit card numbers for about 209 000 US customers were compromised, in addition to "personal identifying information" on about 182 000 US customers.

New York Attorney General Eric Schneiderman launched a formal investigation into the hack on Friday.

The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 open source projects and initiatives, on Saturday issued the following statement regarding the Equifax security breach:

"The Apache Struts Project Management Committee (PMC) would like to comment on the Equifax security breach, its relation to the Apache Struts Web Framework and associated media coverage.

"We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilised, if any. In an online article published on Quartz.com [1], the assumption was made that the breach could be related to CVE-2017-9805, which was publicly announced on 2017-09-04 [2] along with new Struts Framework software releases to patch this and other vulnerabilities [3][4]. However, the security breach was already detected in July [5], which means that the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time - a so-called Zero-Day-Exploit. If the breach was caused by exploiting CVE-2017-9805, it would have been a Zero-Day-Exploit by that time. The article also states that the CVE-2017-9805 vulnerability exists for nine years now.

"We as the Apache Struts PMC want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention. In alignment with the Apache security policies, once we get notified of a possible security issue, we privately work with the reporting entity to reproduce and fix the problem and roll out a new release hardened against the found vulnerability. We then publicly announce the problem description and how to fix it. Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild. However, since vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.

"Regarding the assertion that especially CVE-2017-9805 is a nine-year-old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here - we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. What we saw here is common software engineering business - people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we, as well as hopefully all other library and framework maintainers, put high efforts into removing the side-effects as soon as possible. It's probably fair to say that we met this goal pretty well in case of CVE-2017-9805.

"Our general advice to businesses and individuals utilising Apache Struts, as well as any other open or closed source supporting library in their software products and services is as follows:

1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting these products and versions.

2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries need to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.

5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts.

"We recommend such monitoring as good operations practice for business critical Web-based services.

Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.

For the Apache Struts Project Management Committee,

Ren'e Gielen
Vice President, Apache Struts."

The credit reporting agency Equifax announced on 7 September that hackers stole records containing personal information on up to 143 million American consumers. The hackers behind the attack, the company said, "exploited a US website application vulnerability to gain access to certain files."

That vulnerability, according to a report on the data breach by William Baird & Co, was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017.

Oege de Moor, CEO and founder of Semmle (the company behind lgtm), said: This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises. In the spirit of open source, we want to make sure that the community and industry are aware of these findings as we help uncover critical issues in large numbers of open-source projects. Working with Apache Struts, they were extremely responsive and immediately came up with a clear remediation path.

[1] https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
[2] https://cwiki.apache.org/confluence/display/WW/S2-052
[3] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13
[4] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34
[5] https://baird.bluematrix.com/docs/pdf/dbf801ef-f20e-4d6f-91c1-88e55503ecb0.pdf

About ASF:

Established in 1999, the all-volunteer foundation oversees more than 350 leading open source projects, including Apache HTTP Server - the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 650 individual members and 6 200 committers across six continents successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache Licence; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organisation, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, Inspur, iSigma, LeaseWeb, Microsoft, ODPi, PhoenixNAP, Pivotal, Private Internet Access, Red Hat, Serenata Flowers, Target, WANdisco, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF

Share