역직렬화 취약점 패치의 어려움
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
Application Security Researcher - R&D Engineer - PhD Candidate
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약
Application Security Researcher - R&D Engineer - PhD Candidate
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
아래 링크를 클릭하고 이 리소스의 PDF를 다운로드하십시오.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
보고서 보기데모 예약
Application Security Researcher - R&D Engineer - PhD Candidate
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
시작하는 데 도움이 되는 리소스
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
