Krebs just posted that Apache has released software fixes for a newly discovered vulnerability. And hackers already have exploit blueprints online.
Attackers can exploit sites running the exposed Apache Struts installation by sending the right request to the site, which will force the web server to run any command desired by the hacker–such as adding or deleting files or copying internal databases. IT security experts commented below.
“Apache Struts is used by some of the world’s largest companies. The more common the vulnerability, the more it helps attackers simplify their process…and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There’s no time to waste—unless they want to be the next major breach victim.
Other steps organizations can take to mitigate the risk of breaches prior to fixing include 1) implementing web application firewalls (WAFs) or runtime application self-protection (RASP), 2) using software composition analysis (SCA) to find vulnerable platforms and third-party libraries and add them to standard patch management (where possible), and best of all, 3) making security testing a part of the entire lifecycle of an application. Security training and education, along with IT and Ops teams partnering with security to understand and prioritize how to mitigate risk, are also vital.”
“APTs and nation-state attacks — be they from Russia or any other actor — are a real threat for a very small percentage of companies. In reality, the threats that most organisations are dealing with today are the result of foundational security issues, like failing to patch systems when a critical vulnerability is disclosed. This latest Apache Struts vulnerability is a reminder of the importance of a basic, critical but very unsexy security measure that every organisation should be doing: Maintain your systems. Many web based remote code execution vulnerabilities like this one are researched quickly, with publicly available exploits appearing in less than a few days after disclosure. As we saw with Equifax, cybercriminals are taking advantage of organisations that are either unwilling or unable to patch their systems, resulting in catastrophic consequences. Don’t let this flaw be the reason for the next mega breach. Upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible.”
“In 2016 and 2017, the Apache Struts community disclosed a series of remote code execution vulnerabilities. These vulnerabilities all related to the improper handling of unvalidated data. In identifying CVE-2018-11776, the researcher looked at prior remote code execution vulnerabilities within Struts to determine if there was a coding pattern which lead to them. As background, developers commonly use libraries of code, or development paradigms which have proven efficient, when creating new applications or features. This attribute is a positive when the library or paradigm is of high quality, but when a security defect is uncovered this same attribute often leads to a pattern of security issues.
In the case of CVE-2018-11776, the root cause was a lack of input validation on the URL passed to the Struts framework. Unlike CVE-2018-11776, the prior vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern – and this concern relates to any library framework.
Validating the input to a function requires a clear definition of what is acceptable. It equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it’s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.