RiskSense Platform – the industry’s most comprehensive, intelligent platform for managing cyber risk.

S P O T L I G H T

Apache Struts Understanding how Apache Struts vulnerabilitiescould impact your organization

Apache Struts is a free, open-source Model View Controller (MVC) framework. Introduced around 2006, this framework is extensively used in creating Java-based web applications. Over the last 12 years, we have observed an increase in Apache Struts weaponization; with this information in mind, an unpatched Apache Struts vulnerability (CVE-2017-5638) was the foundation of a significant data breach that put Apache Struts into the spotlight. This weakness emphasized the impending risks for Apache Struts-based applications. Even today, scanners do not detect all known vulnerabilities; as of 10/10/2017, the leading scanners still missed 25 total unique Common Vulnerabilities and Exposures (CVEs).

In this spotlight report, we analyze Apache Struts-related vulnerability weaponization patterns spanning the last decade. We also provide insight into exploit patterns and explain how these patterns can define an organization’s risk management strategy.

Page 2

Introduction

CVE-2017-5638 Timeline

Apache Struts Vulnerabilities’ Weaponization Patterns

Weaponization Timeline and Exploit Patterns

What Does This Mean for Organizational Cyber Risk Management?

3

3

4

6

7

Table of Contents

Apache Struts in the Spotlight • November 2017

Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization

Background

Apache Struts in the Spotlight • November 2017

Mega Data BreachBreaking News

Attack Occured

3 4 5 6 7 8 9 109.7. 2017

CVE-2017-5638 Published

RiskSense Prioritized CVE-2017-5638 in the Platform

3 4

Exploit Released

3.6.17NVD Released3.10.17

3.9.17 3.25.17

CVE-2017-5638 Timeline

Introduction

Figure 1

Developers use Apache Struts’ MVC framework to build Internet-facing web applications that regularly accept and execute user input. User inputs are processed at the server side using parsers or internal objects. These input handlers are subjected to remote code execution (RCE)-based exploits and arbitrary command injections resulting from underlying implementation flaws. Among the 27 Apache Struts vulnerabilities found with exploits, we observed the following:

• The average vulnerability disclosure time latency for RCE-based vulnerabilities is 39 days and 29 days for non-RCE-based vulnerabilities.

The exploit belonging to both the remote and web application category is CVE-2017-5638.

CVE-2017-5638 is an incorrect exception handling, error message generating vulnerability present during file upload attempts in Jakarta Multipart parser in the following Apache Struts versions:

• Apache Struts 2.2.3.x before 2.3.32• Apache Struts 2.5.x before 2.5.10.1

This vulnerability allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. Figure 1 shows CVE-2017-5638’s overall timeline, including the vulnerability’s initial disclosure and exploitation in the wild. While the vendor disclosed the vulnerability and patch on 03/06/2017, an applicable exploit was released on 03/09/2017. It is important to note that RiskSense was the only organization that uncovered the related exploit so early. We were able to do this by tracking Apache Struts code commits in Github.

The vulnerability was accepted into the National Vulnerability Database (NVD) on 03/10/2017. It should be noted that the NVD had a delay of four days in accepting and publishing this critical vulnerability. This delay between a vendor disclosing a vulnerability and the vulnerability’s publication in the NVD is known as vulnera-bility disclosure time latency. Based on the prevalence of the exploit in the wild, RiskSense prioritized this vulnerability for our clients on 03/25/2017. As predicted by RiskSense (based on the exploit’s trend in the wild), the vulnerability was used in a high-pro-file attack that resulted in a mega data breach.

Page 3 Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization

Table 1

Exploit Type

RCE

Non-RCE

Both

17 days after vendor disclosure

30 days after vendor disclosure

3 days after vendor disclosure

20

6

1

Weaponization Latency (in Days)Exploit Count

Apache Struts in the Spotlight • November 2017

Page 4

After analyzing CVE-2017-5638’s event timeline, it is evident that a critical vulnerability had not been prioritized in the target organization's risk management process. There may be several reasons for such lack of prioritization, such as:

• Unavailability of an actionable intelligence platform• Weak risk prioritization strategy

An efficient risk management strategy demands a proper vulnerability prioritization process. RiskSense’s vulnerability prioritization process is supported by weaponization pattern mining and exploitability analysis. Weaponization is defined as creating malicious content (such as malware, exploits, etc.) that

exploits a vulnerability. Here, we present our findings on vulnerability weaponization and related exploit patterns for Apache Struts vulnerabilities. Such exploit pattern analysis allows us to predict exploitability of vulnerabilities, and correlat-ing this information with the target client infrastructure allows us to better prioritize vulnerabilities for efficient remediation.

Figure 2 shows the Apache Struts-related vulnerabilities’ disclosure time latency patterns over the last ten years. The vulnerability disclosure time latency shows the latency (in days) between the vendor release date and NVD publication date for a given vulnerability. Vulnerability criticality is determined from the Common Vulnerability Scoring System (CVSS) score.

Latency in days before a CVE appears in NVD

4

80

15

55

289

5

17

41

41

49

49

49

14

8

55

83

17

26

66

4

54

14

14

10

5

18

39

0

5

210 284

156

124

0 days

50 days

100 days

150 days

200 days

250 days

10 2.610

10

10

10

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

7.8

7.57.5

7.5 7.57.5

7.5

7.5

7.5

7.5

6.8

6.8

6.4

5.8

5

5

5

5

5

4.3

4.34.3

CVE-2017-5638CVE-2011-1772

CVE-2016-3082

CVE-2016-0785

CVE-2013-4316

CVE-2012-0838

CVE-2016-3081

CVE-2013-2251

CVE-2013-2135

CVE-2013-2134

CVE-2013-2115

CVE-2013-1966

CVE-2013-1965

CVE-2012-0392

CVE-2012-0391

CVE-2014-0114

CVE-2014-0094

CVE-2006-1546CVE-2017-9791

Data is up-to-date as Oct 2nd, 2017

CVE-2016-4438CVE-2016-4436

CVE-2016-3087

CVE-2015-1831

CVE-2014-0113

CVE-2014-0112

CVE-2006-1547

CVE-2017-9805

CVE-2012-0394

CVE-2013-2248

CVE-2011-5057

CVE-2012-1007

CVE-2012-1006

CVE-2005-3745

CVE-2008-6504

24 CVEs with CVSS > 7

13 CVEswith CVSS < 7

CVSS v2

CVEs have applicable exploits

Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization

Apache Struts Vulnerabilities’ Weaponization Patterns

Figure 2

CVE-2008-6505

CVE-2010-1870

CVE-2012-0393

Page 5 Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization

Table 2

Table 3

Apache Struts in the Spotlight • November 2017

We use the NVD as a reference for computing the vulnerability disclosure time latency, since the NVD is considered a standard repository for vulnerability publication and notification. The following table shows the Apache Struts-related CVEs with their severity, associated CVSS V2/V3 scores, NVD Vulnerability Latency, and Exploit Type. All CVSS scores provided below were

obtained from the NVD. As such, the NVD applied CVSS V3 scores only for CVEs from 2016 and later. The NVD Vulnerability Disclosure Time Latency denotes the time (in days) it took from the vendor’s vulnerability disclosure to the NVD’s vulnerability publication.

We were able to make the following observations using the information in Table 2 and Figure 2:

1. Table 2 and Figure 2 show that vulnerability disclosure time latency is present for the majority of vulnerabilities.2. Table 3 highlights the CVEs that have a time latency of more than 100 days:

CVE

CVE-2008-6504

CVE-2012-0391

CVE-2012-0838

CVE-2016-4436

284

156

210

124

Latency (in Days)

CVE

CVE-2011-1772

CVE-2005-3745

CVE-2012-1006

CVE-2012-1007

CVE-2008-6504

CVE-2008-6505

CVE-2010-1870

CVE-2011-5057

CVE-2014-0094

CVE-2013-2248

CVE-2012-0393

CVE-2012-0394

CVE-2017-9805

CVE-2014-0112

CVE-2014-0113

CVE-2015-1831

CVE-2016-3087

CVE-2016-4436

CVE-2016-4438

CVE-2017-9791

CVE-2006-1546

CVE-2014-0114

CVE-2006-1547

CVE-2012-0391

CVE-2012-0392

CVE-2013-1965

CVE-2013-1966

CVE-2013-2115

CVE-2013-2134

CVE-2013-2135

CVE-2013-2251

CVE-2016-3081

CVE-2012-0838

CVE-2013-4316

CVE-2016-0785

CVE-2016-3082

CVE-2017-5638

Severity

Low

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium

Medium/High

High

High

High

High/Critical

High/Critical

High/Critical

High/Critical

High

High

High

High

High

High

High

High

High

High

High

High

High

High

High

High/Critical

High/Critical

CVSS V2

2.6

4.3

4.3

4.3

5.0

5.0

5.0

5.0

5.0

5.8

6.4

6.8

6.8

7.5

7.5

7.5

7.5

7.5

7.5

7.5

7.5

7.5

7.8

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

9.3

10

10

10

10

10

NVD Vuln. Latency

80

1

5

5

284

0

39

18

5

5

14

14

10

54

4

66

26

124

17

3

8

55

8

156

14

49

49

49

41

41

17

5

210

9

28

5

4

Exploit Type

Remote

Remote

WebApps

WebApps

Remote

Remote

Remote

Remote

Remote

Remote

WebApps

Remote

Remote

Remote

Remote

No Exploit

Remote

No Exploit

No Exploit

WebApps

No Exploit

Remote

No Exploit

WebApps

WebApps

Remote

Remote

Remote

Remote

No Exploit

Remote

Remote

No Exploit

No Exploit

No Exploit

No Exploit

Remote, Webapps

CVSS V3

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

9.8

9.8

9.8

9.8

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

8.1

N/A

N/A

8.8

9.8

10

8.1

Page 6 Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization

We analyzed the weaponization timelines for all CVEs with exploits. Particularly, it is interesting to identify if the weapon-ization occurs during the vulnerability disclosure timeline. This means that organizations that are susceptible to such vulnera-bilities are at even more risk due to the following reasons:

1. Organizations relying on NVD for timely vulnerability disclosures are highly vulnerable during the vulnerability disclosure latency.2. When weaponization occurs during latency, some organi- zations are at even higher risk of a data breach or falling prey to massive cyber attacks.

We define weaponization states through relationships between the vendor's CVE disclosure date, patch/workaround date, exploit weaponization date, and NVD disclosure date, as shown in Figure 3. We can determine an exploit's organizational impact from the order of these events. From this, we mapped four unique weaponization states, as shown below:

Exploit released before NVD publication and before patch releaseExploit released before NVD publication and after patch releaseExploit released after NVD publication and after patch releaseExploit released after NVD publication and before patch release

Weaponization Timeline and Exploit Patterns

< NVD, <Exploit released before NVD published before

patch released

<NVD , <Exploit released after NVD published after

patch released

CVE-2014-0094CVE-2014-0112CVE-2014-0113CVE-2014-0114

Exploit released 14 days before patch was released

2005

2008

2011

2012

2014

2016

2017

CVE-2011-1772CVE-2011-5057

Data is up-to-date as Oct 2nd, 2017

Figure 3

CVE-2012-0391CVE-2012-0392CVE-2012-0393CVE-2012-0394CVE-2012-1006CVE-2012-1007

CVE-2017-5638CVE-2017-9791CVE-2017-9805

CVE-2005-3745

CVE-2016-3081CVE-2016-3087

CVE-2013-1965CVE-2013-1966CVE-2013-2115CVE-2013-2134CVE-2013-2248CVE-2013-2251

2013

CVSS v22.6 4.3 5.0

5.86.46.8

7.57.8

9.3 10

< < NVDExploit released after patch released before

NVD publishedCVE-2010-1870

CVE-2008-6504CVE-2008-6505Exploit released 139 days before patch was released

2010

3. Among the 27 CVEs that have applicable exploits, 26 are subjected to vulnerability disclosure latency. This can be observed from the data presented in Table 2. 4. It is also interesting to note that among the 27 CVEs with exploits, 12 of those CVEs are low or medium severity vulnerabilities. This emphasizes the fact that CVE severity is not a crucial determinant factor when identifying high-risk CVEs. Organizations typically focus on remediating high-severity CVEs; however, low and medium severity CVEs should also be prioritized in the remediation strategy based on their applicable exploits. 5. The majority of the associated exploit types are remote, meaning they could be delivered and executed through an RCE strategy. This observation again emphasizes why organizations should focus on tackling RCE-based exploits while securing their Apache Struts-based application infrastructure.

Apache Struts in the Spotlight • November 2017

Page 7 Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization

Table 4

Apache Struts in the Spotlight • November 2017

What Does This Mean for Organizational Cyber Risk Management?It is evident from the data breach (caused by unpatched CVE-2017-5638) how organizations are falling behind in the vulnerability prioritization and mitigation game. RiskSense’s observations from the latency and weaponization patterns makes cyber risk management through vulnerability prioritization a multi-faceted and complex problem, especially if organizations are using diverse software and hardware stacks and do not receive timely updates on applicable vulnerabilities (due to a lack of a reliable unified notification source), then they are secure only until the weaponization of those vulnerabilities.

Even if exploitable vulnerabilities are revealed to organizations, they often fail to gauge the risk of such vulnerabilities to their organization's business and fail in prioritization. This is due to the lack of capabilities that will prioritize vulnerabilities not just based on their severity (we have already seen vulnerabilities with CVSS < 7 have malicious exploits) but also on their potential exploitability.

Organizations should implement their risk mitigation around RCE-based exploits and their related vulnerabilities, which scanners often fail to detect. We continue to see recent trends

suggesting that RCE-based exploits are some of the most effective exploits, as highlighted by CVE-2017-5638 and CVE-2017-9805.

To this end, it is extremely critical for organizations to adapt a threat- and risk-centric approach to vulnerability prioritization and remediation. Such approaches should consider both the organization's asset criticality and historical analysis of weaponization patterns of vulnerabilities so that both exploitability and risk of vulnerabilities can be predicted accurately.

The following table shows CVE weaponization patterns by year. As mentioned previously, CVSS V3 scores are only included for vulnerabilities from 2016 and later. Weaponization Latency is defined as the time (in days) it took from the vendor disclosure to the creation of an exploit targeting the vulnerability. The following bullets explain how to interpret the weaponization latency values presented in Table 4.

Our analysis on applicable exploits reveal interesting patterns in both exploit delivery and underlying weaknesses in Apache Struts. Note that most low and medium severity vulnerabilities also have associated exploits. An organization may prioritize only resolving high vulnerabilities, leaving them weak to these exploits.

We also observed that remote exploits are used more frequently for weaponization. Most of the applicable exploits are delivered through URL code injection, some of which target the underlying weakness in the Object-Graph Navigation Library (OGNL). The remaining set of exploits are divided into cross-site scripting (XSS) and HTTP header-based injections.

• A weaponization latency of zero means an exploit was released the same day the vulnerability was disclosed by the vendor. • A positive weaponization latency means that the exploit was released before the vendor disclosed the vulnerability. • A negative weaponization latency means the vulnerability was disclosed before an exploit was applied.

Year

20052008 20102011 2012 2013 2014 2016 2017

CVE

CVE-2005-3745CVE-2008-6504 CVE-2008-6505CVE-2010-1870CVE-2011-1772CVE-2011-5057CVE-2012-0391CVE-2012-0392CVE-2012-0393CVE-2012-0394CVE-2012-1006CVE-2012-1007CVE-2013-1965CVE-2013-1966CVE-2013-2115CVE-2013-2134CVE-2013-2248CVE-2013-2251CVE-2014-0094CVE-2014-0112CVE-2014-0113CVE-2014-0114CVE-2016-3081CVE-2016-3087CVE-2017-5638CVE-2017-9791CVE-2017-9805

CVSS V2/V3

4.35.05.05.02.65.09.39.36.46.84.34.39.39.39.39.35.89.35.07.57.57.59.3/8.17.5/9.810/107.5/9.86.8/8.1

Exploit Type

RemoteRemoteRemoteRemoteRemoteRemoteWebAppsWebAppsWebAppsRemoteWebAppsWebAppsRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemote, WebAppsWebAppsRemote

Weaponization Latency

0-145 139

-5 -77 14

-154 -12 -12 -12

-1 -1

-14 -8 -8 0

-2 -22 -53 -53

-7 -53

-9 -25 -3 0 0

© 2017 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Spotlight_ApacheStruts_11092017

RiskSense Platform – the industry’s most comprehensive, intelligent platform for managing cyber risk.

Contact Us Today to Learn More About RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | info@RiskSense.com

SCHEDULE A DEMOCONTACT US