RiskSense Platform the industrys most comprehensive, intelligent platform for managing cyber risk.

S P O T L I G H T

Apache Struts Understanding how Apache Struts vulnerabilitiescould impact your organization

Apache Struts is a free, open-source Model View Controller (MVC) framework. Introduced around 2006, this framework is extensively used in creating Java-based web applications. Over the last 12 years, we have observed an increase in Apache Struts weaponization; with this information in mind, an unpatched Apache Struts vulnerability (CVE-2017-5638) was the foundation of a significant data breach that put Apache Struts into the spotlight. This weakness emphasized the impending risks for Apache Struts-based applications. Even today, scanners do not detect all known vulnerabilities; as of 10/10/2017, the leading scanners still missed 25 total unique Common Vulnerabilities and Exposures (CVEs).

In this spotlight report, we analyze Apache Struts-related vulnerability weaponization patterns spanning the last decade. We also provide insight into exploit patterns and explain how these patterns can define an organizations risk management strategy.

Page 2

Introduction

CVE-2017-5638 Timeline

Apache Struts Vulnerabilities Weaponization Patterns

Weaponization Timeline and Exploit Patterns

What Does This Mean for Organizational Cyber Risk Management?

3

3

4

6

7

Table of Contents

Apache Struts in the Spotlight November 2017

Spotlight Apache Struts Understanding how Apache Struts vulnerabilities could imapct your organization

Background

Apache Struts in the Spotlight November 2017

Mega Data BreachBreaking News

Attack Occured

3 4 5 6 7 8 9 109.7. 2017

CVE-2017-5638 Published

RiskSense Prioritized CVE-2017-5638 in the Platform

3 4

Exploit Released

3.6.17NVD Released3.10.17

3.9.17 3.25.17

CVE-2017-5638 Timeline

Introduction

Figure 1

Developers use Apache Struts MVC framework to build Internet-facing web applications that regularly accept and execute user input. User inputs are processed at the server side using parsers or internal objects. These input handlers are subjected to remote code execution (RCE)-based exploits and arbitrary command injections resulting from underlying implementation flaws. Among the 27 Apache Struts vulnerabilities found with exploits, we observed the following:

The average vulnerability disclosure time latency for RCE-based vulnerabilities is 39 days and 29 days for non-RCE-based vulnerabilities.

The exploit belonging to both the remote and web application category is CVE-2017-5638.

CVE-2017-5638 is an incorrect exception handling, error message generating vulnerability present during file upload attempts in Jakarta Multipart parser in the following Apache Struts versions:

Apache Struts 2.2.3.x before 2.3.32 Apache Struts 2.5.x before 2.5.10.1

This vulnerability allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. Figure 1 shows CVE-2017-5638s overall timeline, including the vulnerabilitys initial disclosure and exploitation in the wild. While the vendor disclosed the vulnerability and patch on 03/06/2017, an applicable exploit was released on 03/09/2017. It is important to note that RiskSense was the only organization that uncovered the related exploit so early. We were able to do this by tracking Apache Struts code commits in Github.

The vulnerability was accepted into the National Vulnerability Database (NVD) on 03/10/2017. It should be noted that the NVD had a delay of four days in accepting and publishing this critical vulnerability. This delay between a vendor disclosing a vulnerability and the vulnerabilitys publication in the NVD is known as vulnera-bility disclosure time latency. Based on the prevalence of the exploit in the wild, RiskSense prioritized this vulnerability for our clients on 03/25/2017. As predicted by RiskSense (based on the exploits trend in the wild), the vulnerability was used in a high-pro-file attack that resulted in a mega data breach.

Page 3 Spotlight Apache Struts Understanding how Apache Struts vulnerabilities could imapct your organization

Table 1

Exploit Type

RCE

Non-RCE

Both

17 days after vendor disclosure

30 days after vendor disclosure

3 days after vendor disclosure

20

6

1

Weaponization Latency (in Days)Exploit Count

Apache Struts in the Spotlight November 2017

Page 4

After analyzing CVE-2017-5638s event timeline, it is evident that a critical vulnerability had not been prioritized in the target organization's risk management process. There may be several reasons for such lack of prioritization, such as:

Unavailability of an actionable intelligence platform Weak risk prioritization strategy

An efficient risk management strategy demands a proper vulnerability prioritization process. RiskSenses vulnerability prioritization process is supported by weaponization pattern mining and exploitability analysis. Weaponization is defined as creating malicious content (such as malware, exploits, etc.) that

exploits a vulnerability. Here, we present our findings on vulnerability weaponization and related exploit patterns for Apache Struts vulnerabilities. Such exploit pattern analysis allows us to predict exploitability of vulnerabilities, and correlat-ing this information with the target client infrastructure allows us to better prioritize vulnerabilities for efficient remediation.

Figure 2 shows the Apache Struts-related vulnerabilities disclosure time latency patterns over the last ten years. The vulnerability disclosure time latency shows the latency (in days) between the vendor release date and NVD publication date for a given vulnerability. Vulnerability criticality is determined from the Common Vulnerability Scoring System (CVSS) score.

Latency in days before a CVE appears in NVD

4

80

15

55

289

5

17

41

41

49

49

49

14

8

55

83

17

26

66

4

54

14

14

10

5

18

39

0

5

210 284

156

124

0 days

50 days

100 days

150 days

200 days

250 days

10 2.610

10

10

10

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

7.8

7.57.5

7.5 7.57.5

7.5

7.5

7.5

7.5

6.8

6.8

6.4

5.8

5

5

5

5

5

4.3

4.34.3

CVE-2017-5638CVE-2011-1772

CVE-2016-3082

CVE-2016-0785

CVE-2013-4316

CVE-2012-0838

CVE-2016-3081

CVE-2013-2251

CVE-2013-2135

CVE-2013-2134

CVE-2013-2115

CVE-2013-1966

CVE-2013-1965

CVE-2012-0392

CVE-2012-0391

CVE-2014-0114

CVE-2014-0094

CVE-2006-1546CVE-2017-9791

Data is up-to-date as Oct 2nd, 2017

CVE-2016-4438CVE-2016-4436

CVE-2016-3087

CVE-2015-1831

CVE-2014-0113

CVE-2014-0112

CVE-2006-1547

CVE-2017-9805

CVE-2012-0394

CVE-2013-2248

CVE-2011-5057

CVE-2012-1007

CVE-2012-1006

CVE-2005-3745

CVE-2008-6504

24 CVEs with CVSS > 7

13 CVEswith CVSS < 7

CVSS v2

CVEs have applicable exploits

Spotlight Apache Struts Understanding how Apache Struts vulnerabilities could imapct your organization

Apache Struts Vulnerabilities Weaponization Patterns

Figure 2

CVE-2008-6505

CVE-2010-1870

CVE-2012-0393

Page 5 Spotlight Apache Struts Understanding how Apache Struts vulnerabilities could imapct your organization

Table 2

Table 3

Apache Struts in the Spotlight November 2017

We use the NVD as a reference for computing the vulnerability disclosure time latency, since the NVD is considered a standard repository for vulnerability publication and notification. The following table shows the Apache Struts-related CVEs with their severity, associated CVSS V2/V3 scores, NVD Vulnerability Latency, and Exploit Type. All CVSS scores provided below were

obtained from the NVD. As such, the NVD applied CVSS V3 scores only for CVEs from 2016 and later. The NVD Vulnerability Disclosure Time Latency denotes the time (in days) it took from the vendors vulnerability disclosure to the NVDs vulnerability publication.

We were able to make the following observations using the information in Table 2 and Figure 2:

1. Table 2 and Figure 2 show that vulnerability disclosure time latency is present for the majority of vulnerabilities.2. Table 3 highlights the CVEs that have a time latency of more than 100 days:

CVE

CVE-2008-6504

CVE-2012-0391

CVE-2012-0838

CVE-2016-4436

284

156

210

124

Latency (in Days)

CVE

CVE-2011-1772

CVE-2005-3745

CVE-2012-1006

CVE-2012-1007

CVE-2008-6504

CVE-2008-6505

CVE-2010-1870

CVE-2011-5057

CVE-2014-0094

CVE-2013-2248

CVE-2012-0393

CVE-2012-0394

CVE-2017-9805

CVE-2014-0112

CVE-2014-0113

CVE-2015-1831

CVE-2016-3087

CVE-2016-4436

CVE-2016-4438

CVE-2017-9791

CVE-2006-1546

CVE-2014-0114

CVE-2006-1547

CVE-2012-0391

CVE-2012-0392

CVE-2013-1965

CVE-2013-1966

CVE-2013-2115

CVE-2013-2134

CVE-2013-2135

CVE-2013-2251

CVE-2016-3081

CVE-2012-0838

CVE-2013-4316