On September 5th, Apache Struts 2.5.13 was released, fixing a number of vulnerabilities from older versions. Apache Struts is a popular open-source framework for developing web applications in Java. CVE-2017-9805 gained a lot of traction in the news this week because it was allegedly used in the Equifax hack (see Apache Foundation reaction confirming this was the case). The Equifax breach carries considerable weight as it may have exposed personal information on up to 143 million American consumers. The Apache Struts vulnerability allows unauthenticated remote code execution on Java web applications that use Apache Struts.
The weakness lies within the REST plugin, which uses XStream for deserializing untrusted XML blobs coming from the user’s HTTP requests. XStream is a common Java library for deserializing of objects represented as XML, one of it’s feature is serialization of complex Java objects. This weakness of XStream can be exploited easily – an attacker has to create a Java object which in its deserialization process will call a function, then serialize it with XStream and later pass it through HTTP request to the XStream parser inside Struts.
Deserialization vulnerabilities are not new, they have been around for the past couple of years (one of the most famous is an XXE vulnerability in Facebook). They exist in most modern high-level languages which support packing of objects. The unpacking functions, the weakest link in the chain, are usually hard to secure. For example, in most languages, unpacking an object with constructor will result in executing it’s code. They are dangerous if the code tries to deserialize data that came from untrusted source (e.g. the user).
The vulnerability affects all versions of Struts since 2008 and closed in Struts versions 2.3.34 and 2.5.13.
Twistlock Customers Protected
Twistlock detects this vulnerability within a container image using two different mechanisms:
Apache Struts is installed as a package
When Apache Struts is installed through the Linux package manage, Twistlock verifies the package against a known list of vulnerable packages. This feature is supported for all major Linux distributions including: Ubuntu, Debian, Alpine, RedHat, CentOS, and OpenSUSE.
Apache Struts is installed as a standalone Java archive (JAR)
Twistlock inspects JAR and WAR Java archives and detects vulnerable packages:
Regardless of how Struts is packaged in your images, Twistlock is also able to prevent images with the vulnerability from being deployed in the first place. This is a powerful capability that helps organizations establish quality gates to their production environment, that provide granular control for vulnerabilities before they’re deployed. Here’s an example of a rule specifically targeting the struts vulnerability:
With this rule in place, Twistlock prevents images affected by this CVE from ever being run in the first place:
nnn@nnn-laptop:~$ sudo docker run -d -p 8081:8080 bourkey/apache-struts2-cve-2017-9805:latest [sudo] password for nnn: docker: Error response from daemon: [Twistlock] Image operation blocked by policy: (CVE-20187-9805), has specific CVE CVE-2017-5638. See 'docker run --help
Twistlock’s Vulnerability Explorer also makes it easy to quickly visualize the entire scope of your exposure. Simply enter the CVE ID and we’ll show the risk tree for your environment, instantly fanning out all the impacted images, what containers they’re running in, and what hosts those containers run on. All this data is also available in CSV and JSON so it’s easy to integrate with other tools:
In vulnerable containers, which were not patched yet, Twistlock has another layer of defense; Twistlock Runtime mechanisms will detect and block any abnormal behavior which may be the result of exploiting this vulnerability.
Taking action to prevent a breach
Quickly after the Apache Struts vulnerability was published, multiple working exploits were seen online. These exploits allow novice hackers who aren’t proficient with exploit development to use these code samples, and hack Apache Struts apps coming their way.
Upgrading your Apache Struts to 2.3.34 or 2.5.13 will close this vulnerability, but sometimes it’s not a feasible solution. In that case, if Struts REST plugin is not used, removing it will solve the issue.
This vulnerability is in a framework, and as one it affects a lot of products that will soon be announced as vulnerable, such as Cisco products. We will continue updating this post with new vulnerable open-source and commercial products.
Thanks for reading, and follow our Twitter to get more security alerts like this.
Get a demo today to find out how to get your organization up and running with Twistlock.