A Baird Equity Research report [PDF] blamed the recent Equifax breach that exposed 143 million consumers’ personal information on a security flaw in the open source Apache Struts framework, which is used to build Java Web applications.
Contrast Security co-founder and CTO Jeff Williams noted in a blog post that the Struts vulnerability in question could either be CVE-2017-5638, which was made public in March 2017, or CVE-2017-9805, which was made public last week.
Because the Equifax breach took place in July, Williams noted, the former is much more likely — CVE-2017-5638 is also easier to exploit and is much better known, and Contrast has seen widespread attacks against CVE-2017-5638 worldwide for several months.
“I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,” he wrote. “Even in the best run organizations, there is often a gap of many months between vulnerability disclosure and updates being made to applications.”
The incident highlights the ongoing need for proper patch management.
It’s no surprise, Williams said, that Web application attacks are the leading cause of large breaches. “The *average* Web application or API has 26.7 serious vulnerabilities,” he wrote. “That is a staggering, unbelievable number. And organizations often have hundreds, thousands, or even tens of thousands of applications.”
In a statement, the Apache Struts vice president Rene Gielen said the Struts development team “puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention.”
To avoid breaches like the one at Equifax, Gielen urged users to be sure they know which supporting frameworks and libraries are used in their software products, and keep track of security announcements affecting those products.
It’s also crucial to establish a speedy security fix process for those products if supporting frameworks are updated. “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years,” Gielen wrote.
“The automotive industry solved this problem over 100 years ago by maintaining a bill-of-materials for all parts used in a car,” Black Duck Software vice president of security strategy Mike Pittenger told eSecurity Planet by email. “Doing the same with software — maintaining an accurate list of all components used in each application — makes incident response much easier when vulnerabilities like this are disclosed.”
Know Your Assets
But most companies today don’t even have an up-to-date application inventory, High-Tech Bridge CEO and founder Ilia Kolochenko said by email. “Without knowing your assets, you won’t be able to protect them,” he said. “Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine learning in their attacks.”
In a blog post, Alert Logic co-founder Misha Govshteyn said it’s important to keep in mind that it’s not specifically Equifax code that failed — the vulnerability was inherited from an underlying Web application component. “This is one of the most misunderstood points in cyber security today — Web application stacks are complex organisms and you can end up with [a] major vulnerability without trying too hard,” he wrote.
“Most enterprise cyber security teams spend more time brushing up on the latest activities of Grizzly Steppe and Deep Panda… than understanding the Web application stack their own software teams are using, and these stacks are a major source of risk,” Govshteyn wrote.
At the same time, Govshteyn noted, proper controls would have made a big difference for Equifax. “In this case, only a properly configured Web Application Firewall would have stopped the attack and effective post-compromise detection could have reduced dwell time from two months to a much smaller window,” he wrote. “That could have been the difference between stopping this breach and losing data for 143 million people.”