Apache Struts and the Equifax data breach 2021-06-03

Transcript

1. Sean Sulliva n June 3, 2021

2. September 7, 2017

3. www.equifax.com

4. Last Week Tonight — October 15, 2017

5. Last Week Tonight — October 15, 2017

6. None
7. None
8. None

9. We know that criminals exploited a US website application vulnerability.

   The vulnerability was Apache Struts CVE-2017-5638 . September 2017

10. https://nvd.nist.gov

11. The Jakarta Multipart parser in Apache Struts 2 2.3.x before

    2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during fi le-upload CVE-2017-5638

12. allows remote attackers to execute arbitrary command s CVE-2017-5638

13. via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as

    exploited in the wild in March 2017 with a Content-Type header containing a #cmd= strin g CVE-2017-5638

14. http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Malicious payload in Content-Type header

15. Struts 2.x internals

16. OGNL expressions

17. com.opensymphony.xwork2.ognl.OgnlUtil

18. ognl.OgnlRuntime

19. import java.lang.re fl ect.* ; public static Object invokeMethod (

    Object target , Method method, Object[] argsArray ) OgnlRuntime.java

20. Untrusted user inpu t + OGNL librar y

21. Struts 2 internal security

22. None
23. None
24. None

25. June 2018

26. September 9, 2017

27. September 14, 2017

28. October 3, 2017

29. security advic e from th e Apache Software Foundation

30. Understand which supporting frameworks and libraries are used in your

    software products and in which versions. Keep track of security announcements affecting this products and versions . apache.org — September 9, 2017

31. Establish a process to quickly roll out a security fi

    x release of your software product once supporting frameworks or libraries needs to be updated for security reasons . apache.org — September 9, 2017 Best is to think in terms of hours or a few days, not weeks or months.

32. Any complex software contains fl aws. Don't build your security

    policy on the assumption that supporting software products are fl awless apache.org — September 9, 2017

33. Establish security layers . It is good software engineering practice

    to have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017

34. Establish monitoring for unusual access patterns to your public web

    resources. apache.org — September 9, 2017

35. Automatic patching?

36. I have talked to other software companies and people in

    this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right ? Rep Greg Walde n October 3, 2017

37. I am unaware of an automatic patch . Richard Smit

    h former Equifax CE O October 3, 2017

38. automatic dependency updates?

39. https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ Dependabot

40. https://github.com/scala-steward-org/scala-steward

41. https://snyk.io/ Snyk

42. How can I learn more about web application security?

43. www.owasp.org

44. Conclusion • establish security layer s • automate dependency update

    s • monitor for unusual access pattern s • encrypt sensitive data

45. questions?

46. THE END

47. Bonus slides

48. Ars Technica — September 13, 2017

49. None