Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apache Struts and the Equifax data breach

sullis
October 17, 2017

Apache Struts and the Equifax data breach

Portland Java User Group
Portland Oregon
October 17, 2017
#java #opensource #security #equifax

sullis

October 17, 2017
Tweet

More Decks by sullis

Other Decks in Technology

Transcript

  1. Sean Sullivan
    October 17, 2017
    Portland Java Users Group

    View Slide

  2. • software engineer
    • 21 years on the JVM
    • Scala since 2011
    • back office systems
    About me
    Java is fine.

    View Slide

  3. September 7, 2017

    View Slide

  4. www.equifax.com

    View Slide

  5. Last Week Tonight — October 15, 2017

    View Slide

  6. Last Week Tonight — October 15, 2017

    View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. We know that criminals exploited a US website
    application vulnerability.
    The vulnerability was Apache Struts CVE-2017-5638.
    September 2017

    View Slide

  11. https://nvd.nist.gov

    View Slide

  12. The Jakarta Multipart parser in Apache Struts 2
    2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has
    incorrect exception handling and error-message
    generation during file-upload
    CVE-2017-5638

    View Slide

  13. allows remote attackers to execute
    arbitrary commands
    CVE-2017-5638

    View Slide

  14. via a crafted Content-Type, Content-Disposition,
    or Content-Length HTTP header, as exploited in
    the wild in March 2017 with a Content-Type
    header containing a #cmd= string
    CVE-2017-5638

    View Slide

  15. http://blog.talosintelligence.com/2017/03/apache-0-day-
    exploited.html

    View Slide

  16. http://blog.talosintelligence.com/2017/03/apache-0-day-
    exploited.html

    View Slide

  17. Struts 2.x internals

    View Slide

  18. OGNL expressions

    View Slide

  19. com.opensymphony.xwork2.ognl.OgnlUtil

    View Slide

  20. ognl.OgnlRuntime

    View Slide

  21. import java.lang.reflect.*;
    public static Object invokeMethod(
    Object target,
    Method method,
    Object[] argsArray)
    OgnlRuntime.java

    View Slide

  22. September 9, 2017

    View Slide

  23. September 14, 2017

    View Slide

  24. October 3, 2017

    View Slide

  25. security advice
    from the
    Apache Software Foundation

    View Slide

  26. Understand which supporting frameworks and
    libraries are used in your software products and
    in which versions.
    Keep track of security announcements affecting
    this products and versions.
    apache.org — September 9, 2017

    View Slide

  27. Establish a process to quickly roll out a security
    fix release of your software product once
    supporting frameworks or libraries needs to be
    updated for security reasons.
    Best is to think in terms of hours or a few days,
    not weeks or months.
    apache.org — September 9, 2017

    View Slide

  28. Any complex software contains flaws.
    Don't build your security policy on the
    assumption that supporting software products
    are flawless
    apache.org — September 9, 2017

    View Slide

  29. Establish security layers.
    It is good software engineering practice to have
    individually secured layers behind a public-
    facing presentation layer such as the Apache
    Struts framework.
    apache.org — September 9, 2017

    View Slide

  30. Establish monitoring for unusual access
    patterns to your public Web resources.
    We recommend such monitoring as good
    operations practice for business critical Web-
    based services.
    apache.org — September 9, 2017

    View Slide

  31. Automatic patching?

    View Slide

  32. I have talked to other software companies and people in
    this space who say some companies have an automated
    system that when a patch comes out it automatically gets
    installed.
    That is not what you had necessarily, right?
    Rep Greg Walden
    October 3, 2017

    View Slide

  33. I am unaware of an automatic patch.
    Richard Smith
    former Equifax CEO
    October 3, 2017

    View Slide

  34. automatic
    dependency
    upgrades for
    Scala
    applications?

    View Slide

  35. https://github.com/flowcommerce/dependency

    View Slide

  36. https://twitter.com/mbryzek/status/913953394473172993

    View Slide

  37. how to prevent
    Java applications
    from calling
    exec()

    View Slide

  38. java.lang.SecurityManager

    View Slide

  39. public void checkExec(String command)

    View Slide

  40. public class MySecurityManager extends SecurityManager {
    @Override
    public void checkExec(String command) {
    throw new SecurityException("nope");
    }
    }

    View Slide

  41. How can I learn
    more about web
    application
    security?

    View Slide

  42. www.owasp.org

    View Slide

  43. October 4, 2017

    View Slide

  44. Conclusion
    • establish security layers
    • consider java.lang.SecurityManager
    • encrypt sensitive data
    • adopt OWASP best practices

    View Slide

  45. questions?

    View Slide

  46. THE END

    View Slide

  47. View Slide

  48. Bonus slides

    View Slide

  49. Ars Technica — September 13, 2017

    View Slide

  50. View Slide