Krebs just posted that Apache has released software fixes for a newly discovered vulnerability. And hackers already have exploit blueprints online.
Attackers can exploit sites running the exposed Apache Struts installation by sending the right request to the site, which will force the web server to run any command desired by the hacker–such as adding or deleting files or copying internal databases. IT security experts commented below.
Jeannie Warner, Security Manager at WhiteHat Security:
Other steps organizations can take to mitigate the risk of breaches prior to fixing include 1) implementing web application firewalls (WAFs) or runtime application self-protection (RASP), 2) using software composition analysis (SCA) to find vulnerable platforms and third-party libraries and add them to standard patch management (where possible), and best of all, 3) making security testing a part of the entire lifecycle of an application. Security training and education, along with IT and Ops teams partnering with security to understand and prioritize how to mitigate risk, are also vital.”
Renaud Deraison, Co-founder and CTO at Tenable:
Tim Mackey, Technical Evangelist at Black Duck by Synopsys:
In the case of CVE-2018-11776, the root cause was a lack of input validation on the URL passed to the Struts framework. Unlike CVE-2018-11776, the prior vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern – and this concern relates to any library framework.
Validating the input to a function requires a clear definition of what is acceptable. It equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it’s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.