Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apache Struts and the Equifax data breach 2021-06-03

Apache Struts and the Equifax data breach 2021-06-03

Apache Struts and the Equifax data breach
June 3, 2021


June 03, 2021

More Decks by sullis

Other Decks in Technology


  1. We know that criminals exploited a US website application vulnerability.

    The vulnerability was Apache Struts CVE-2017-5638 . September 2017
  2. The Jakarta Multipart parser in Apache Struts 2 2.3.x before

    2.3.32 and 2.5.x before has incorrect exception handling and error-message generation during fi le-upload CVE-2017-5638
  3. via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as

    exploited in the wild in March 2017 with a Content-Type header containing a #cmd= strin g CVE-2017-5638
  4. import java.lang.re fl ect.* ; public static Object invokeMethod (

    Object target , Method method, Object[] argsArray ) OgnlRuntime.java
  5. Understand which supporting frameworks and libraries are used in your

    software products and in which versions. Keep track of security announcements affecting this products and versions . apache.org — September 9, 2017
  6. Establish a process to quickly roll out a security fi

    x release of your software product once supporting frameworks or libraries needs to be updated for security reasons . apache.org — September 9, 2017 Best is to think in terms of hours or a few days, not weeks or months.
  7. Any complex software contains fl aws. Don't build your security

    policy on the assumption that supporting software products are fl awless apache.org — September 9, 2017
  8. Establish security layers . It is good software engineering practice

    to have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017
  9. Establish monitoring for unusual access patterns to your public web

    resources. apache.org — September 9, 2017
  10. I have talked to other software companies and people in

    this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right ? Rep Greg Walde n October 3, 2017
  11. I am unaware of an automatic patch . Richard Smit

    h former Equifax CE O October 3, 2017
  12. Conclusion • establish security layer s • automate dependency update

    s • monitor for unusual access pattern s • encrypt sensitive data