An analysis of the Apache Struts 2 Vulnerability CVE-2017-5638

There are many ways developers incorporate open source code into their proprietary applications. A common way is to include versioned dependencies. Another is to copy and paste open source code into your code. When using third party software it is required to pay attention to the original software license obligations as well as watch this component for current and future vulnerabilities.

At Flexera, my team works with companies to audit code to help avoid exactly these situations.

What is Apache Struts 2?

Struts 2 is an Apache 2.0 licensed java web framework used to build large scale web applications. It is commonly used in government, financial, health and other large enterprise applications. This component was used in an Equifax application, and was exploited to breach data of an estimated 143 million people.

Hackers were able to take advantage of CVE-2017-5638 in Struts 2 in order to steal confidential information. The vulnerability is reviewed and published by the National Vulnerability Database (NVD).

OGNL

Struts 2 contains another Apache licensed library called Object Graph Navigation language.(OGNL). This was the underlying technology that was attacked and exploited at Equifax.

While Apache Struts 2 is in the news, the vulnerability was the result of the unsafe use of the embedded OGNL library. A defect related to OGNL parsing error messages was exploited in the default Struts 2 fileupload functionality.

How can you avoid missing a critical vulnerability?

When using open source or other third party software, you also need to be aware of other independent third-party libraries that are being brought in with the intended library. If you use Apache Struts 2, you are probably also using OGNL. This is easy to remediate – upgrade to the latest version of Struts 2 and remove older versions.

How do I find the Struts 2 implementation that’s being used in my code?

Flexera’s Software Composition Analysis (SCA) platform scans your software and matches it against 12.9 million open source libraries. Additionally, source code fingerprint technology enables identification of stolen or copied source code that ends up shipping within your code.

Remediation is now less daunting. The specific files can be updated, refactored or removed altogether.

Analyze your risk

We know vulnerabilities are here to stay. Cases like the Equifax breach will come and go – they are not necessarily an indication of developer malice. They do show an increased need to be aware of your complete software bill of materials and to pay attention to software vulnerabilities on a constant basis.

What questions should you add to your Software Composition analysis checklist to prevent breaches like the one that hit Equifax?

  • Which open source libraries are being used in my product?
  • What other third-party libraries are being pulled in by default and are potentially introducing additional risk?
  • What percentage of my proprietary code contains “stolen” or “copied” code from other third-party open source libraries without proper attribution?

Leave a Reply

Your email address will not be published. Required fields are marked *