Apache Struts and the Equifax data breach

Transcript

1. Sean Sullivan October 17, 2017 Portland Java Users Group

2. • software engineer • 21 years on the JVM •

   Scala since 2011 • back office systems About me Java is fine.

3. September 7, 2017

4. www.equifax.com

5. Last Week Tonight — October 15, 2017

6. Last Week Tonight — October 15, 2017

7. None
8. None
9. None

10. We know that criminals exploited a US website application vulnerability.

    The vulnerability was Apache Struts CVE-2017-5638. September 2017

11. https://nvd.nist.gov

12. The Jakarta Multipart parser in Apache Struts 2 2.3.x before

    2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload CVE-2017-5638

13. allows remote attackers to execute arbitrary commands CVE-2017-5638

14. via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as

    exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string CVE-2017-5638

15. http://blog.talosintelligence.com/2017/03/apache-0-day- exploited.html

16. http://blog.talosintelligence.com/2017/03/apache-0-day- exploited.html

17. Struts 2.x internals

18. OGNL expressions

19. com.opensymphony.xwork2.ognl.OgnlUtil

20. ognl.OgnlRuntime

21. import java.lang.reflect.*; public static Object invokeMethod( Object target, Method method,

    Object[] argsArray) OgnlRuntime.java

22. September 9, 2017

23. September 14, 2017

24. October 3, 2017

25. security advice from the Apache Software Foundation

26. Understand which supporting frameworks and libraries are used in your

    software products and in which versions. Keep track of security announcements affecting this products and versions. apache.org — September 9, 2017

27. Establish a process to quickly roll out a security fix

    release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. apache.org — September 9, 2017

28. Any complex software contains flaws. Don't build your security policy

    on the assumption that supporting software products are flawless apache.org — September 9, 2017

29. Establish security layers. It is good software engineering practice to

    have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017

30. Establish monitoring for unusual access patterns to your public Web

    resources. We recommend such monitoring as good operations practice for business critical Web- based services. apache.org — September 9, 2017

31. Automatic patching?

32. I have talked to other software companies and people in

    this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right? Rep Greg Walden October 3, 2017

33. I am unaware of an automatic patch. Richard Smith former

    Equifax CEO October 3, 2017

34. automatic dependency upgrades for Scala applications?

35. https://github.com/flowcommerce/dependency

36. https://twitter.com/mbryzek/status/913953394473172993

37. how to prevent Java applications from calling exec()

38. java.lang.SecurityManager

39. public void checkExec(String command)

40. public class MySecurityManager extends SecurityManager { @Override public void checkExec(String

    command) { throw new SecurityException("nope"); } }

41. How can I learn more about web application security?

42. www.owasp.org

43. October 4, 2017

44. Conclusion • establish security layers • consider java.lang.SecurityManager • encrypt

    sensitive data • adopt OWASP best practices

45. questions?

46. THE END

47. None

48. Bonus slides

49. Ars Technica — September 13, 2017

50. None