The difficulty with patching deserialization vulnerabilities
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language.
Application Security Researcher - R&D Engineer - PhD Candidate
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Application Security Researcher - R&D Engineer - PhD Candidate
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Application Security Researcher - R&D Engineer - PhD Candidate
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
Table of contents
Application Security Researcher - R&D Engineer - PhD Candidate
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
