Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apache Struts and the Equifax data breach 2021-06-03

Apache Struts and the Equifax data breach 2021-06-03

Apache Struts and the Equifax data breach
June 3, 2021
#security
#java

99d4c0ed3c8027ea1c37b53d6441d042?s=128

sullis

June 03, 2021
Tweet

Transcript

  1. Sean Sulliva n June 3, 2021

  2. September 7, 2017

  3. www.equifax.com

  4. Last Week Tonight — October 15, 2017

  5. Last Week Tonight — October 15, 2017

  6. None
  7. None
  8. None
  9. We know that criminals exploited a US website application vulnerability.

    The vulnerability was Apache Struts CVE-2017-5638 . September 2017
  10. https://nvd.nist.gov

  11. The Jakarta Multipart parser in Apache Struts 2 2.3.x before

    2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during fi le-upload CVE-2017-5638
  12. allows remote attackers to execute arbitrary command s CVE-2017-5638

  13. via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as

    exploited in the wild in March 2017 with a Content-Type header containing a #cmd= strin g CVE-2017-5638
  14. http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Malicious payload in Content-Type header

  15. Struts 2.x internals

  16. OGNL expressions

  17. com.opensymphony.xwork2.ognl.OgnlUtil

  18. ognl.OgnlRuntime

  19. import java.lang.re fl ect.* ; public static Object invokeMethod (

    Object target , Method method, Object[] argsArray ) OgnlRuntime.java
  20. Untrusted user inpu t + OGNL librar y

  21. Struts 2 internal security

  22. None
  23. None
  24. None
  25. June 2018

  26. September 9, 2017

  27. September 14, 2017

  28. October 3, 2017

  29. security advic e from th e Apache Software Foundation

  30. Understand which supporting frameworks and libraries are used in your

    software products and in which versions. Keep track of security announcements affecting this products and versions . apache.org — September 9, 2017
  31. Establish a process to quickly roll out a security fi

    x release of your software product once supporting frameworks or libraries needs to be updated for security reasons . apache.org — September 9, 2017 Best is to think in terms of hours or a few days, not weeks or months.
  32. Any complex software contains fl aws. Don't build your security

    policy on the assumption that supporting software products are fl awless apache.org — September 9, 2017
  33. Establish security layers . It is good software engineering practice

    to have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017
  34. Establish monitoring for unusual access patterns to your public web

    resources. apache.org — September 9, 2017
  35. Automatic patching?

  36. I have talked to other software companies and people in

    this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right ? Rep Greg Walde n October 3, 2017
  37. I am unaware of an automatic patch . Richard Smit

    h former Equifax CE O October 3, 2017
  38. automatic dependency updates?

  39. https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ Dependabot

  40. https://github.com/scala-steward-org/scala-steward

  41. https://snyk.io/ Snyk

  42. How can I learn more about web application security?

  43. www.owasp.org

  44. Conclusion • establish security layer s • automate dependency update

    s • monitor for unusual access pattern s • encrypt sensitive data
  45. questions?

  46. THE END

  47. Bonus slides

  48. Ars Technica — September 13, 2017

  49. None