Apache Struts Understanding how Apache Struts...

RiskSense Platform – the industry’s most comprehensive, intelligent platform for managing cyber risk.

Apache Struts Understanding how Apache Struts vulnerabilitiescould impact your organizationWith Updated Findings August 2018

S P O T L I G H T

Apache Struts is a free, open-source Model View Controller (MVC) framework. Introduced around 2006, this framework is extensively used in creating Java-based web applications. Over the last 12 years, we have observed an increase in Apache Struts weaponization; with this information in mind, an unpatched Apache Struts vulnerability (CVE-2017-5638) was the foundation of a significant data breach that put Apache Struts into the spotlight. This weakness emphasized the impending risks for Apache Struts-based applications. Even today, scanners do not detect all known vulnerabilities; as of 10/10/2017, the leading scanners still missed 25 total unique Common Vulnerabilities and Exposures (CVEs).

In this spotlight report, we analyze Apache Struts-related vulnerability weaponization patterns spanning the last decade. We also provide insight into exploit patterns and explain how these patterns can define an organization’s risk management strategy.

We extend our findings to the latest set of Apache Struts vulnerabilities published after September 2017. We have identified a continuing trend of vulnerability disclosure latency and weaponization patterns. Further, the RCE exploits on deserialization flaws are still continuing.

Introduction

CVE-2017-5638 Timeline

Apache Struts Vulnerabilities’ Weaponization Patterns

Weaponization Timeline and Exploit Patterns

What Does This Mean for Organizational Cyber Risk Management?

Revisiting Apache Struts After One Year

3

3

4

6

7

8

Table of Contents

Apache Struts in the Spotlight • August 2018

Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization

Background


Mega Data BreachBreaking News

Attack Occured

3 4 5 6 7 8 9 109.7. 2017

CVE-2017-5638 Published

RiskSense Prioritized CVE-2017-5638 in the Platform

3 4

Exploit Released

3.6.17NVD Released3.10.17

3.9.17 3.25.17

CVE-2017-5638 Timeline

Introduction

Figure 1

Developers use Apache Struts’ MVC framework to build Internet-facing web applications that regularly accept and execute user input. User inputs are processed at the server side using parsers or internal objects. These input handlers are subjected to remote code execution (RCE)-based exploits and arbitrary command injections resulting from underlying implementation flaws. Among the 27 Apache Struts vulnerabilities found with exploits, we observed the following:

• The average vulnerability disclosure time latency for RCE-based vulnerabilities is 39 days and 29 days for non-RCE-based vulnerabilities.

The exploit belonging to both the remote and web application category is CVE-2017-5638.

CVE-2017-5638 is an incorrect exception handling, error message generating vulnerability present during file upload attempts in Jakarta Multipart parser in the following Apache Struts versions:

• Apache Struts 2.2.3.x before 2.3.32• Apache Struts 2.5.x before 2.5.10.1

This vulnerability allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. Figure 1 shows CVE-2017-5638’s overall timeline, including the vulnerability’s initial disclosure and exploitation in the wild. While the vendor disclosed the vulnerability and patch on 03/06/2017, an applicable exploit was released on 03/09/2017. It is important to note that RiskSense was the only organization that uncovered the related exploit so early. We were able to do this by tracking Apache Struts code commits in Github.

The vulnerability was accepted into the National Vulnerability Database (NVD) on 03/10/2017. It should be noted that the NVD had a delay of four days in accepting and publishing this critical vulnerability. This delay between a vendor disclosing a vulnerability and the vulnerability’s publication in the NVD is known as vulnera-bility disclosure time latency. Based on the prevalence of the exploit in the wild, RiskSense prioritized this vulnerability for our clients on 03/25/2017. As predicted by RiskSense (based on the exploit’s trend in the wild), the vulnerability was used in a high-pro-file attack that resulted in a mega data breach.


Table 1

Exploit Type

RCE

Non-RCE

Both

17 days after vendor disclosure



20

6

1

Weaponization Latency (in Days)Exploit Count


After analyzing CVE-2017-5638’s event timeline, it is evident that a critical vulnerability had not been prioritized in the target organization's risk management process. There may be several reasons for such lack of prioritization, such as:

• Unavailability of an actionable intelligence platform• Weak risk prioritization strategy

An efficient risk management strategy demands a proper vulnerability prioritization process. RiskSense’s vulnerability prioritization process is supported by weaponization pattern mining and exploitability analysis. Weaponization is defined as creating malicious content (such as malware, exploits, etc.) that

exploits a vulnerability. Here, we present our findings on vulnerability weaponization and related exploit patterns for Apache Struts vulnerabilities. Such exploit pattern analysis allows us to predict exploitability of vulnerabilities, and correlat-ing this information with the target client infrastructure allows us to better prioritize vulnerabilities for efficient remediation.

Figure 2 shows the Apache Struts-related vulnerabilities’ disclosure time latency patterns over the last ten years. The vulnerability disclosure time latency shows the latency (in days) between the vendor release date and NVD publication date for a given vulnerability. Vulnerability criticality is determined from the Common Vulnerability Scoring System (CVSS) score.

Latency in days before a CVE appears in NVD

4

80

15

55

289

5

17

41

41

49

49

49

14

8

55

83

17

26

66

4

54

14

14

10

5

18

39

0

5

210 284

156

124

0 days

50 days

100 days

150 days

200 days

250 days

10 2.610

10

10

10

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

7.8

7.57.5

7.5 7.57.5

7.5

7.5

7.5

7.5

6.8

6.8

6.4

5.8

5

5

5

5

5

4.3

4.34.3

CVE-2017-5638CVE-2011-1772

CVE-2016-3082

CVE-2016-0785

CVE-2013-4316

CVE-2012-0838

CVE-2016-3081

CVE-2013-2251

CVE-2013-2135

CVE-2013-2134

CVE-2013-2115

CVE-2013-1966

CVE-2013-1965

CVE-2012-0392

CVE-2012-0391

CVE-2014-0114

CVE-2014-0094

CVE-2006-1546CVE-2017-9791

Data is up-to-date as Oct 2nd, 2017

CVE-2016-4438CVE-2016-4436

CVE-2016-3087

CVE-2015-1831

CVE-2014-0113

CVE-2014-0112

CVE-2006-1547

CVE-2017-9805

CVE-2012-0394

CVE-2013-2248

CVE-2011-5057

CVE-2012-1007

CVE-2012-1006

CVE-2005-3745

CVE-2008-6504

24 CVEs with CVSS > 7

13 CVEswith CVSS < 7

CVSS v2

CVEs have applicable exploits


Apache Struts Vulnerabilities’ Weaponization Patterns

Figure 2

CVE-2008-6505

CVE-2010-1870

CVE-2012-0393


Table 2

Table 3


We use the NVD as a reference for computing the vulnerability disclosure time latency, since the NVD is considered a standard repository for vulnerability publication and notification. The following table shows the Apache Struts-related CVEs with their severity, associated CVSS V2/V3 scores, NVD Vulnerability Latency,

and Exploit Type. All CVSS scores provided below were obtained from the NVD. As such, the NVD applied CVSS V3 scores only for CVEs from 2016 and later. The NVD Vulnerability Disclosure Time Latency denotes the time (in days) it took from the vendor’s vulnerability disclosure to the NVD’s vulnerability publication.

We were able to make the following observations using the information in Table 2 and Figure 2:

1. Table 2 and Figure 2 show that vulnerability disclosure time latency is present for the majority of vulnerabilities.2. Table 3 highlights the CVEs that have a time latency of more than 100 days:

CVE

CVE-2008-6504

CVE-2012-0391

CVE-2012-0838

CVE-2016-4436

284

156

210

124

Latency (in Days)

CVE

CVE-2011-1772

CVE-2005-3745

CVE-2012-1006

CVE-2012-1007

CVE-2008-6504

CVE-2008-6505

CVE-2010-1870

CVE-2011-5057

CVE-2014-0094

CVE-2013-2248

CVE-2012-0393

CVE-2012-0394

CVE-2017-9805

CVE-2014-0112

CVE-2014-0113

CVE-2015-1831

CVE-2016-3087

CVE-2016-4436

CVE-2016-4438

CVE-2017-9791

CVE-2006-1546

CVE-2014-0114

CVE-2006-1547

CVE-2012-0391

CVE-2012-0392

CVE-2013-1965

CVE-2013-1966

CVE-2013-2115

CVE-2013-2134

CVE-2013-2135

CVE-2013-2251

CVE-2016-3081

CVE-2012-0838

CVE-2013-4316

CVE-2016-0785

CVE-2016-3082

CVE-2017-5638

Severity

Low

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium/High

High

High

High

High/Critical

High/Critical

High/Critical

High/Critical

High

High

High

High

High

High

High

High

High

High

High

High

High

High

High

High/Critical

High/Critical

CVSS V2

2.6

4.3

4.3

4.3

5.0

5.0

5.0

5.0

5.0

5.8

6.4

6.8

6.8

7.5

7.5

7.5

7.5

7.5

7.5

7.5

7.5

7.5

7.8

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

10

10

10

10

10

NVD Vuln. Latency

80 days

1 day

5 days

5 days

284 days

0 day

39 days

18 days

5 days

5 days

14 days

14 days

10 days

54 days

4 days

66 days

26 days

124 days

17 days

3 days

8 days

55 days

8 days

156 days

14 days

49 days

49 days

49 days

41 days

41 days

17 days

5 days

210 days

9 days

28 days

5 days

4 days

Exploit Type

Remote

Remote

WebApps

WebApps

Remote

Remote

Remote

Remote

Remote

Remote

WebApps

Remote

Remote

Remote

Remote

No Exploit

Remote

No Exploit

No Exploit

WebApps

No Exploit

Remote

No Exploit

WebApps

WebApps

Remote

Remote

Remote

Remote

No Exploit

Remote

Remote

No Exploit

No Exploit

No Exploit

No Exploit

Remote, Webapps

CVSS V3

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

9.8

9.8

9.8

9.8

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

8.1

N/A

N/A

8.8

9.8

10

8.1


We analyzed the weaponization timelines for all CVEs with exploits. Particularly, it is interesting to identify if the weaponiza-tion occurs during the vulnerability disclosure timeline. This means that organizations that are susceptible to such vulnera-bilities are at even more risk due to the following reasons:

1. Organizations relying on NVD for timely vulnerability disclosures are highly vulnerable during the vulnerability disclosure latency.2. When weaponization occurs during latency, some organizations are at even higher risk of a data breach or falling prey to massive cyber attacks.

We define weaponization states through relationships between the vendor's CVE disclosure date, patch/workaround date, exploit weaponization date, and NVD disclosure date, as shown in Figure 3. We can determine an exploit's organizational impact from the order of these events. From this, we mapped four unique weaponization states, as shown below:

Exploit released before NVD publication and before patch releaseExploit released before NVD publication and after patch releaseExploit released after NVD publication and after patch releaseExploit released after NVD publication and before patch release

Weaponization Timeline and Exploit Patterns

< NVD, <Exploit released before NVD published before

patch released

<NVD , <Exploit released after NVD published after

patch released

CVE-2014-0094CVE-2014-0112CVE-2014-0113CVE-2014-0114

Exploit released 14 days before patch was released

2005

2008

2011

2012

2014

2016

2017

CVE-2011-1772CVE-2011-5057

Data is up-to-date as Oct 2nd, 2017 • Weaponization patterns for post Oct 2nd, 2017 is available in Figure 4

Figure 3

CVE-2012-0391CVE-2012-0392CVE-2012-0393CVE-2012-0394CVE-2012-1006CVE-2012-1007

CVE-2017-5638CVE-2017-9791CVE-2017-9805

CVE-2005-3745

CVE-2016-3081CVE-2016-3087

CVE-2013-1965CVE-2013-1966CVE-2013-2115CVE-2013-2134CVE-2013-2248CVE-2013-2251

2013

CVSS v22.6 4.3 5.0

5.86.46.8

7.57.8

9.3 10

< <NVDExploit released afterNVD published before

patch released CVE-2010-1870

CVE-2008-6504CVE-2008-6505Exploit released 139 days before patch was released

2010

3. Among the 27 CVEs that have applicable exploits, 26 are subjected to vulnerability disclosure latency. This can be observed from the data presented in Table 2. 4. It is also interesting to note that among the 27 CVEs with exploits, 12 of those CVEs are low or medium severity vulnerabilities. This emphasizes the fact that CVE severity is not a crucial determinant factor when identifying high-risk CVEs. Organizations typically focus on remediating high-severity CVEs; however, low and medium severity CVEs should also be prioritized in the remediation strategy based on their applicable exploits. 5. The majority of the associated exploit types are remote, meaning they could be delivered and executed through an RCE strategy. This observation again emphasizes why organizations should focus on tackling RCE-based exploits while securing their Apache Struts-based application infrastructure.



Table 4


What Does This Mean for Organizational Cyber Risk Management?It is evident from the data breach (caused by unpatched CVE-2017-5638) how organizations are falling behind in the vulnerability prioritization and mitigation game. RiskSense’s observations from the latency and weaponization patterns makes cyber risk management through vulnerability prioritization a multi-faceted and complex problem, especially if organizations are using diverse software and hardware stacks and do not receive timely updates on applicable vulnerabilities (due to a lack of a reliable unified notification source), then they are secure only until the weaponization of those vulnerabilities.

Even if exploitable vulnerabilities are revealed to organizations, they often fail to gauge the risk of such vulnerabilities to their organization's business and fail in prioritization. This is due to the lack of capabilities that will prioritize vulnerabilities not just based on their severity (we have already seen vulnerabilities with CVSS < 7 have malicious exploits) but also on their potential exploitability.

Organizations should implement their risk mitigation around RCE-based exploits and their related vulnerabilities, which scanners often fail to detect. We continue to see recent trends

suggesting that RCE-based exploits are some of the most effective exploits, as highlighted by CVE-2017-5638 and CVE-2017-9805.

To this end, it is extremely critical for organizations to adapt a threat- and risk-centric approach to vulnerability prioritization and remediation. Such approaches should consider both the organization's asset criticality and historical analysis of weaponization patterns of vulnerabilities so that both exploitability and risk of vulnerabilities can be predicted accurately.

The following table shows CVE weaponization patterns by year. As mentioned previously, CVSS V3 scores are only included for vulnerabilities from 2016 and later. Weaponization Latency is defined as the time (in days) it took from the vendor disclosure to the creation of an exploit targeting the vulnerability. The following bullets explain how to interpret the weaponization latency values presented in Table 4.

Our analysis on applicable exploits reveal interesting patterns in both exploit delivery and underlying weaknesses in Apache Struts. Note that most low and medium severity vulnerabilities also have associated exploits. An organization may prioritize only resolving high vulnerabilities, leaving them weak to these exploits.

We also observed that remote exploits are used more frequently for weaponization. Most of the applicable exploits are delivered through URL code injection, some of which target the underlying weakness in the Object-Graph Navigation Library (OGNL). The remaining set of exploits are divided into cross-site scripting (XSS) and HTTP header-based injections.

• A weaponization latency of zero means an exploit was released the same day the vulnerability was disclosed by the vendor. • A positive weaponization latency means that the exploit was released before the vendor disclosed the vulnerability. • A negative weaponization latency means the vulnerability was disclosed before an exploit was applied.

Year

20052008 20102011 2012 2013 2014 2016 2017

CVE

CVE-2005-3745CVE-2008-6504 CVE-2008-6505CVE-2010-1870CVE-2011-1772CVE-2011-5057CVE-2012-0391CVE-2012-0392CVE-2012-0393CVE-2012-0394CVE-2012-1006CVE-2012-1007CVE-2013-1965CVE-2013-1966CVE-2013-2115CVE-2013-2134CVE-2013-2248CVE-2013-2251CVE-2014-0094CVE-2014-0112CVE-2014-0113CVE-2014-0114CVE-2016-3081CVE-2016-3087CVE-2017-5638CVE-2017-9791CVE-2017-9805

CVSS V2/V3

4.35.05.05.02.65.09.39.36.46.84.34.39.39.39.39.35.89.35.07.57.57.59.3/8.17.5/9.810/107.5/9.86.8/8.1

Exploit Type

RemoteRemoteRemoteRemoteRemoteRemoteWebAppsWebAppsWebAppsRemoteWebAppsWebAppsRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemote, WebAppsWebAppsRemote

Weaponization Latency

0 day-145 days 139 days

-5 days -77 days 14 days

-154 days -12 days -12 days -12 days

-1 day -1 day

-14 days -8 days -8 days

0 day -2 days


-7 days -53 days


0 day 0 day

CVE Timeline


Revisiting Apache Struts After One YearApache has acknowledged and released patches for four vulnerabilities between Sept. 2017 and March 2018. Table 5 below providesoverall details of the vulnerabilities in terms of their severity (CVSS V2 and V3), earliest release latency, NVD latency, and threat applica-bility. The NVD latency is calculated as the number of days NVD takes to consume the vulnerability after the vendor releases it. Theearliest release latency specifies the number of days the vendor takes to acknowledge a vulnerability and release a solution after a thirdparty reveals it.

Two vulnerabilities (CVE-2017-12611 and CVE-2017-7525) have applicable threats (exploits). Remote Code Execution (RCE) still rules as the applicable exploit type for Struts-based vulnerabilities.

Vulnerability Disclosure and Weaponization LatencyWe will take a detailed look into the vulnerability disclosure andweaponization latency and identify if the NVD latency andweaponization trends from previous years are still continuing.The overall vulnerability disclosure and weaponization latencyfor each CVE is shown in figure 4.

The vulnerability disclosure latency between the vendor(Apache) and NVD still persists. Sometimes spanning overmonths for critical severity CVEs (like CVE-2017-7525). Aninteresting observation we have made is Struts-based vulnerabilities are released even before Apache acknowledges and releases patches for them through their security bulletin.

For example, China NVD (CNNVD) has released CVE-2017-12611 and CVE-2017-15707 before Apache and Redhat released CVE-2017-7525 before Apache. At the time of publication in CNNVD, Apache hasn’t still published solution or workaround related to those CVEs. Thus, qualifying them as zero day vulnerabilities.

Adversaries are still taking advantage of the vulnerabilitydisclosure latency to publish their exploits. For example, theweaponization of CVE-2017-12611 has preceded the NVDpublishing date. RCE is still the choice of exploit type foradversaries while weaponizing Apache Struts-based CVEs.


Table 5

CVE

CVE-2017-15707

CVE-2018-1327

CVE-2017-12611

CVE-2017-7525

Severity

Medium

Medium

High

High

CVSS V2

5.0

5.0

7.5

7.5

NVD Latency Earliest Release Latency

3 days

5 days

15 days

70 days

37 days

N/A

28 days

138 days

Has Exploit

No

No

Yes / RCE

Yes / RCE

CVSS V3

5.2

7.5

9.8

9.8

NVD Release (12.01.2017)Apache Release (11.29.2017)

CNNVD Release (10.23.2017)

7 8 9 10 11 1 432


7 8 9 10 11 12 1 432

5

5

CVE-2017-15707

CVE-2018-1327

12


Deserialization Flaws Continue

Deserialization flaws introduced by improper input validationstill continue. We have seen catastrophic effects of such flawsin the past with CVE-2017-9805. This trend is continuingwith CVE-2017-7525 which has an RCE exploit targeting theunderlying deserialization flaws. Deserialization flaws in web

frameworks and the corresponding RCEs exploiting them is acombination that should be prioritized within organizationalvulnerability management since this results in a high risksituation. Especially, when using open-source web frameworks.


Figure 4

<NVD , <

< < NVD

NVD Release (9.20.2017)Apache Release (9.6.2017) Patch Release (9.6.2017)

CNNVD Release (8.9.2017)

7 8 9 10 11 1 432 5

9.8. 2017CVE-2017-12611


Redhat Release (7.14.2017) Patch Release (7.14.2017)

7 8 9 10 11 12 1 4 532

4.22. 2018CVE-2017-7525

12

About RiskSenseRiskSense is disrupting the cyber risk market with a Risk-as-a-Service based platform that uses domain expertise and data in ways that are beyond human cognition to correlate your vulnerability data with threat intelligence and business impact to measure risk, provide early warning of weaponization, predict attacks and prioritize remediation. We are empowering our customers to reduce vulnerability fatigue, improve efficiency and quantify risk based on diagnostic and operational data.

The RiskSense Platform™ embodies the expertise and intimate knowledge gained from real world experience in defending critical networks from the world’s most dangerous cyber adversaries. As part of a team that collaborated with the U.S. Department of Defense and U.S. Intelligence Community, RiskSense founders developed Computational Analysis of Cyber Terrorism against the U.S. (CACTUS), Support Vectors Intrusion Detection, Behavior Risk Analysis of Vicious Executables (BRAVE), and the Strike Team Program.

© 2018 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Spotlight_ApacheStruts_08072018

RiskSense Platform – the industry’s most comprehensive, intelligent platform for managing cyber risk.

Contact Us Today to Learn More About RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | [email protected]

SCHEDULE A DEMOCONTACT US READ OUR BLOG

https://www.risksense.com/company/contact-us/

https://www.risksense.com/demonow/

https://www.risksense.com/blog/

Apache Struts Understanding how Apache Struts...

Documents

Transcript of Apache Struts Understanding how Apache Struts...