Apache Struts and the Equifax data breach 2021-06-03

Slide 1

Slide 1 text

Sean Sulliva n June 3, 2021

Slide 2

Slide 2 text

September 7, 2017

Slide 3

Slide 3 text

www.equifax.com

Slide 4

Slide 4 text

Last Week Tonight — October 15, 2017

Slide 5

Slide 5 text

Last Week Tonight — October 15, 2017

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638 . September 2017

Slide 10

Slide 10 text

https://nvd.nist.gov

Slide 11

Slide 11 text

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during fi le-upload CVE-2017-5638

Slide 12

Slide 12 text

allows remote attackers to execute arbitrary command s CVE-2017-5638

Slide 13

Slide 13 text

via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= strin g CVE-2017-5638

Slide 14

Slide 14 text

http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Malicious payload in Content-Type header

Slide 15

Slide 15 text

Struts 2.x internals

Slide 16

Slide 16 text

OGNL expressions

Slide 17

Slide 17 text

com.opensymphony.xwork2.ognl.OgnlUtil

Slide 18

Slide 18 text

ognl.OgnlRuntime

Slide 19

Slide 19 text

import java.lang.re fl ect.* ; public static Object invokeMethod ( Object target , Method method, Object[] argsArray ) OgnlRuntime.java

Slide 20

Slide 20 text

Untrusted user inpu t + OGNL librar y

Slide 21

Slide 21 text

Struts 2 internal security

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

June 2018

Slide 26

Slide 26 text

September 9, 2017

Slide 27

Slide 27 text

September 14, 2017

Slide 28

Slide 28 text

October 3, 2017

Slide 29

Slide 29 text

security advic e from th e Apache Software Foundation

Slide 30

Slide 30 text

Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions . apache.org — September 9, 2017

Slide 31

Slide 31 text

Establish a process to quickly roll out a security fi x release of your software product once supporting frameworks or libraries needs to be updated for security reasons . apache.org — September 9, 2017 Best is to think in terms of hours or a few days, not weeks or months.

Slide 32

Slide 32 text

Any complex software contains fl aws. Don't build your security policy on the assumption that supporting software products are fl awless apache.org — September 9, 2017

Slide 33

Slide 33 text

Establish security layers . It is good software engineering practice to have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017

Slide 34

Slide 34 text

Establish monitoring for unusual access patterns to your public web resources. apache.org — September 9, 2017

Slide 35

Slide 35 text

Automatic patching?

Slide 36

Slide 36 text

I have talked to other software companies and people in this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right ? Rep Greg Walde n October 3, 2017

Slide 37

Slide 37 text

I am unaware of an automatic patch . Richard Smit h former Equifax CE O October 3, 2017

Slide 38

Slide 38 text

automatic dependency updates?

Slide 39

Slide 39 text

https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ Dependabot

Slide 40

Slide 40 text

https://github.com/scala-steward-org/scala-steward

Slide 41

Slide 41 text

https://snyk.io/ Snyk

Slide 42

Slide 42 text

How can I learn more about web application security?

Slide 43

Slide 43 text

www.owasp.org

Slide 44

Slide 44 text

Conclusion • establish security layer s • automate dependency update s • monitor for unusual access pattern s • encrypt sensitive data