Apache Struts and the Equifax data breach 2021-06-03

Sean Sulliva
n

June 3, 2021

View Slide

September 7, 2017

View Slide

www.equifax.com

View Slide

Last Week Tonight — October 15, 2017

View Slide

View Slide

We know that criminals exploited a US website
application vulnerability.

The vulnerability was Apache Struts CVE-2017-5638
.

September 2017

View Slide

https://nvd.nist.gov

View Slide

The Jakarta Multipart parser in Apache Struts 2
2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has
incorrect exception handling and error-message
generation during
fi
le-upload

CVE-2017-5638

View Slide

allows remote attackers to execute
arbitrary command
s

CVE-2017-5638

View Slide

via a crafted Content-Type, Content-Disposition,
or Content-Length HTTP header, as exploited in
the wild in March 2017 with a Content-Type
header containing a #cmd= strin
g

CVE-2017-5638

View Slide

http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
Malicious payload in Content-Type header

View Slide

Struts 2.x internals

View Slide

OGNL expressions

View Slide

com.opensymphony.xwork2.ognl.OgnlUtil

View Slide

ognl.OgnlRuntime

View Slide

import java.lang.re
fl
ect.*
;

public static Object invokeMethod
(

Object target
,

Method method,

Object[] argsArray
)

OgnlRuntime.java

View Slide

Untrusted user inpu
t

+

OGNL librar
y

View Slide

Struts
2

internal security

View Slide

View Slide

June 2018

View Slide

September 9, 2017

View Slide

September 14, 2017

View Slide

October 3, 2017

View Slide

security advic
e

from th
e

Apache Software Foundation

View Slide

Understand which supporting frameworks and
libraries are used in your software products and
in which versions.

Keep track of security announcements affecting
this products and versions
.

apache.org — September 9, 2017

View Slide

Establish a process to quickly roll out a security
fi
x release of your software product once
supporting frameworks or libraries needs to be
updated for security reasons
.

Best is to think in terms of hours or a few days,
not weeks or months.

View Slide

Any complex software contains
fl
aws.

Don't build your security policy on the
assumption that supporting software products
are
fl
awless

View Slide

Establish security layers
.

It is good software engineering practice to have
individually secured layers behind a public-
facing presentation layer such as the Apache
Struts framework.

View Slide

Establish monitoring for unusual access
patterns to your public web resources.


View Slide

Automatic patching?

View Slide

I have talked to other software companies and people in
this space who say some companies have an automated
system that when a patch comes out it automatically gets
installed.

That is not what you had necessarily, right
?

Rep Greg Walde
n

October 3, 2017

View Slide

I am unaware of an automatic patch
.

Richard Smit
h

former Equifax CE
O

October 3, 2017

View Slide

automatic
dependency
updates?

View Slide

https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
Dependabot

View Slide

https://github.com/scala-steward-org/scala-steward

View Slide

https://snyk.io/
Snyk

View Slide

How can I learn
more about web
application
security?

View Slide

www.owasp.org

View Slide

Conclusion
• establish security layer
s

• automate dependency update
s

• monitor for unusual access pattern
s

• encrypt sensitive data

View Slide

Apache Struts and the Equifax data breach 2021-06-03

Apache Struts and the Equifax data breach 2021-06-03

sullis

More Decks by sullis

Other Decks in Technology

Featured

Transcript