Apache Struts and the Equifax data breach

99d4c0ed3c8027ea1c37b53d6441d042?s=47 sullis
October 17, 2017

Apache Struts and the Equifax data breach

Portland Java User Group
Portland Oregon
October 17, 2017
#java #opensource #security #equifax

99d4c0ed3c8027ea1c37b53d6441d042?s=128

sullis

October 17, 2017
Tweet

Transcript

  1. Sean Sullivan October 17, 2017 Portland Java Users Group

  2. • software engineer • 21 years on the JVM •

    Scala since 2011 • back office systems About me Java is fine.
  3. September 7, 2017

  4. www.equifax.com

  5. Last Week Tonight — October 15, 2017

  6. Last Week Tonight — October 15, 2017

  7. None
  8. None
  9. None
  10. We know that criminals exploited a US website application vulnerability.

    The vulnerability was Apache Struts CVE-2017-5638. September 2017
  11. https://nvd.nist.gov

  12. The Jakarta Multipart parser in Apache Struts 2 2.3.x before

    2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload CVE-2017-5638
  13. allows remote attackers to execute arbitrary commands CVE-2017-5638

  14. via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as

    exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string CVE-2017-5638
  15. http://blog.talosintelligence.com/2017/03/apache-0-day- exploited.html

  16. http://blog.talosintelligence.com/2017/03/apache-0-day- exploited.html

  17. Struts 2.x internals

  18. OGNL expressions

  19. com.opensymphony.xwork2.ognl.OgnlUtil

  20. ognl.OgnlRuntime

  21. import java.lang.reflect.*; public static Object invokeMethod( Object target, Method method,

    Object[] argsArray) OgnlRuntime.java
  22. September 9, 2017

  23. September 14, 2017

  24. October 3, 2017

  25. security advice from the Apache Software Foundation

  26. Understand which supporting frameworks and libraries are used in your

    software products and in which versions. Keep track of security announcements affecting this products and versions. apache.org — September 9, 2017
  27. Establish a process to quickly roll out a security fix

    release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. apache.org — September 9, 2017
  28. Any complex software contains flaws. Don't build your security policy

    on the assumption that supporting software products are flawless apache.org — September 9, 2017
  29. Establish security layers. It is good software engineering practice to

    have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017
  30. Establish monitoring for unusual access patterns to your public Web

    resources. We recommend such monitoring as good operations practice for business critical Web- based services. apache.org — September 9, 2017
  31. Automatic patching?

  32. I have talked to other software companies and people in

    this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right? Rep Greg Walden October 3, 2017
  33. I am unaware of an automatic patch. Richard Smith former

    Equifax CEO October 3, 2017
  34. automatic dependency upgrades for Scala applications?

  35. https://github.com/flowcommerce/dependency

  36. https://twitter.com/mbryzek/status/913953394473172993

  37. how to prevent Java applications from calling exec()

  38. java.lang.SecurityManager

  39. public void checkExec(String command)

  40. public class MySecurityManager extends SecurityManager { @Override public void checkExec(String

    command) { throw new SecurityException("nope"); } }
  41. How can I learn more about web application security?

  42. www.owasp.org

  43. October 4, 2017

  44. Conclusion • establish security layers • consider java.lang.SecurityManager • encrypt

    sensitive data • adopt OWASP best practices
  45. questions?

  46. THE END

  47. None
  48. Bonus slides

  49. Ars Technica — September 13, 2017

  50. None