Tag Archives: apache

Apache Foundation Patches Critical Struts Vulnerability

Earlier this week the Apache Software Foundation made available patches for Apache Struts (a web application framework (defined)) bringing the applications active development branches to version 2.3.35 and 2.5.17. These versions addresses a remote code execution vulnerability (defined: the ability for an attacker to remotely carry out any action of their choice on your device) known as CVE-2018-11776. This vulnerability was responsibly disclosed (defined) by the security researcher; Man Yue Mo.

Why should this vulnerability be considered important?
A data breach at the credit rating agency Equifax last year occurred in part due to their lack of patching their affected web servers. The vulnerability resolved this week can be exploited by an attacker simply by visiting specifically crafted URL (defined) on the affected web server (defined). Once exploited the server can be completely under the attacker’s control.

Typically within days of a vulnerability being disclosed; attackers begin to target and exploit it. Compromised are web servers (which are already public facing and can be located using Shodan) can be used as an entry point into other areas of your corporate network. Any application making use of the Struts framework is vulnerable regardless if those applications use plugins.

How to tell if your installation of Apache Struts is vulnerable?
Your Apache Struts is vulnerable if both of the conditions listed below are true (my thanks to this Semmle blog post for this information):

=====================

  1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
  2. Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=”main”>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.

=====================

How can I protect my web servers from this vulnerability?
Depending upon which version of Apache Struts your web server is using; please upgrade to version 2.3.35 or 2.5.17 as soon as possible.

Thank you.

OpenSSL Heartbleed persists on 200,000 systems/devices

April 2014 saw the worldwide public disclosure of the Heartbleed vulnerability (a difficult to detect and easy to exploit information disclosure issue) within the open source OpenSSL encryption library. Almost 3 years on, approximately 200,000 servers/devices remain vulnerable.

Shodan, the search engine that can detect vulnerable devices connected to the internet released these findings in their Heartbleed report during the weekend of January 21. The report highlights approximately 52,000 Apache web servers with version numbers 2.2.2 and 2.2.15 remain critically vulnerable. Amazon Web Services and Verizon Wireless were the largest hosts of these vulnerable systems with the United States being the location for the most vulnerable internet service providers (ISPs). Another significant finding of the report is that many organizations/businesses are unware their physical and virtual servers are vulnerable.

How Can I Protect Myself from This Vulnerability?
If you or someone in your organisation uses physical or virtual servers, please ensure these servers have all vendor security updates installed, specifically updates from OpenSSL. Unsupported web servers (physical or virtual) or software (which uses the OpenSSL libraries) should be upgraded/replaced. Moreover, OpenSSL versions prior to 1.0.2 are no longer supported; please upgrade to version 1.0.2 or 1.1.0.

Due to the increasing numbers of devices connected to the internet, organizations and individuals need to be aware if their devices or software are vulnerable. For example, earlier this month vulnerable MongoDB, Elastic Search, Hadoop and CouchDB servers. Any software that connects to the internet especially VPN (Virtual Private Network) (defined) software may be vulnerable to the Heartbleed vulnerability.

Thank you.

=======================
Aside:
=======================
What is Shodan?
Shodan was originally created as a project in 2003 by a computer programmer John Matherly who launched the Shodan website in 2009. It is named after the enemy AI of the System Shock series of video games.

It is a search engine like Google, Bing and Yahoo but it isn’t searching for websites that best match the text that we enter. Instead it indexes and categorizes all devices connected to the internet. It does this by searching for and interpreting their banner e.g. Apache 2.4.3, OpenSSL/1.0.1c PHP/5.4.7

It is usually webservers that use such banners but many devices (e.g. FTP and mail servers) use banners to describe the services they offer, what operating system they are using e.g. Red Hat/Linux and the ports they have open e.g. 80 for HTTP, 443 for HTTPS, 21 for FTP, 25 for SMTP, 23 for Telnet, 22 for SSH etc. For example, we use ports 80 and 443 everyday as well port 25 for email.

What can it be used for?

  • Shodan can be used to detect the types of devices on your network and what types of ports (entry points to and from those devices) they are using. This is good to know since you can then better secure them against possible attack. Shodan can also be used to look for and access any device that is poorly configured namely that it allows access to it’s configuration/admin page from the Internet.
  • You can also use it to check if there are any unknown devices on your devices that arrived through social engineering e.g. a new router/access point in a conference room or shadow IT (devices installed by staff without the knowledge of the IT team).