Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apache Struts and the Equifax data breach

October 17, 2017

Apache Struts and the Equifax data breach

Portland Java User Group
Portland Oregon
October 17, 2017
#java #opensource #security #equifax


October 17, 2017

More Decks by sullis

Other Decks in Technology


  1. • software engineer • 21 years on the JVM •

    Scala since 2011 • back office systems About me Java is fine.
  2. We know that criminals exploited a US website application vulnerability.

    The vulnerability was Apache Struts CVE-2017-5638. September 2017
  3. The Jakarta Multipart parser in Apache Struts 2 2.3.x before

    2.3.32 and 2.5.x before has incorrect exception handling and error-message generation during file-upload CVE-2017-5638
  4. via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as

    exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string CVE-2017-5638
  5. Understand which supporting frameworks and libraries are used in your

    software products and in which versions. Keep track of security announcements affecting this products and versions. apache.org — September 9, 2017
  6. Establish a process to quickly roll out a security fix

    release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. apache.org — September 9, 2017
  7. Any complex software contains flaws. Don't build your security policy

    on the assumption that supporting software products are flawless apache.org — September 9, 2017
  8. Establish security layers. It is good software engineering practice to

    have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017
  9. Establish monitoring for unusual access patterns to your public Web

    resources. We recommend such monitoring as good operations practice for business critical Web- based services. apache.org — September 9, 2017
  10. I have talked to other software companies and people in

    this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right? Rep Greg Walden October 3, 2017