Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apache Struts and the Equifax data breach 2021-06-03

Apache Struts and the Equifax data breach 2021-06-03

Apache Struts and the Equifax data breach
June 3, 2021
#security
#java

sullis

June 03, 2021
Tweet

More Decks by sullis

Other Decks in Technology

Transcript

  1. Sean Sulliva
    n

    June 3, 2021

    View full-size slide

  2. September 7, 2017

    View full-size slide

  3. www.equifax.com

    View full-size slide

  4. Last Week Tonight — October 15, 2017

    View full-size slide

  5. Last Week Tonight — October 15, 2017

    View full-size slide

  6. We know that criminals exploited a US website
    application vulnerability.


    The vulnerability was Apache Struts CVE-2017-5638
    .

    September 2017

    View full-size slide

  7. https://nvd.nist.gov

    View full-size slide

  8. The Jakarta Multipart parser in Apache Struts 2
    2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has
    incorrect exception handling and error-message
    generation during
    fi
    le-upload


    CVE-2017-5638

    View full-size slide

  9. allows remote attackers to execute
    arbitrary command
    s

    CVE-2017-5638

    View full-size slide

  10. via a crafted Content-Type, Content-Disposition,
    or Content-Length HTTP header, as exploited in
    the wild in March 2017 with a Content-Type
    header containing a #cmd= strin
    g

    CVE-2017-5638

    View full-size slide

  11. http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
    Malicious payload in Content-Type header

    View full-size slide

  12. Struts 2.x internals

    View full-size slide

  13. OGNL expressions

    View full-size slide

  14. com.opensymphony.xwork2.ognl.OgnlUtil

    View full-size slide

  15. ognl.OgnlRuntime

    View full-size slide

  16. import java.lang.re
    fl
    ect.*
    ;

    public static Object invokeMethod
    (

    Object target
    ,

    Method method,


    Object[] argsArray
    )

    OgnlRuntime.java

    View full-size slide

  17. Untrusted user inpu
    t

    +

    OGNL librar
    y

    View full-size slide

  18. Struts
    2

    internal security

    View full-size slide

  19. September 9, 2017

    View full-size slide

  20. September 14, 2017

    View full-size slide

  21. October 3, 2017

    View full-size slide

  22. security advic
    e

    from th
    e

    Apache Software Foundation

    View full-size slide

  23. Understand which supporting frameworks and
    libraries are used in your software products and
    in which versions.


    Keep track of security announcements affecting
    this products and versions
    .

    apache.org — September 9, 2017

    View full-size slide

  24. Establish a process to quickly roll out a security
    fi
    x release of your software product once
    supporting frameworks or libraries needs to be
    updated for security reasons
    .

    apache.org — September 9, 2017
    Best is to think in terms of hours or a few days,
    not weeks or months.

    View full-size slide

  25. Any complex software contains
    fl
    aws.


    Don't build your security policy on the
    assumption that supporting software products
    are
    fl
    awless
    apache.org — September 9, 2017

    View full-size slide

  26. Establish security layers
    .

    It is good software engineering practice to have
    individually secured layers behind a public-
    facing presentation layer such as the Apache
    Struts framework.
    apache.org — September 9, 2017

    View full-size slide

  27. Establish monitoring for unusual access
    patterns to your public web resources.


    apache.org — September 9, 2017

    View full-size slide

  28. Automatic patching?

    View full-size slide

  29. I have talked to other software companies and people in
    this space who say some companies have an automated
    system that when a patch comes out it automatically gets
    installed.


    That is not what you had necessarily, right
    ?

    Rep Greg Walde
    n

    October 3, 2017

    View full-size slide

  30. I am unaware of an automatic patch
    .

    Richard Smit
    h

    former Equifax CE
    O

    October 3, 2017

    View full-size slide

  31. automatic
    dependency
    updates?

    View full-size slide

  32. https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
    Dependabot

    View full-size slide

  33. https://github.com/scala-steward-org/scala-steward

    View full-size slide

  34. https://snyk.io/
    Snyk

    View full-size slide

  35. How can I learn
    more about web
    application
    security?

    View full-size slide

  36. www.owasp.org

    View full-size slide

  37. Conclusion
    • establish security layer
    s

    • automate dependency update
    s

    • monitor for unusual access pattern
    s

    • encrypt sensitive data

    View full-size slide

  38. Bonus slides

    View full-size slide

  39. Ars Technica — September 13, 2017

    View full-size slide