A Critical Apache Struts Security Flaw Makes It 'Easy' To Hack Fortune 100 Firms (zdnet.com)

← Back to Stories (view on slashdot.org)

A Critical Apache Struts Security Flaw Makes It 'Easy' To Hack Fortune 100 Firms (zdnet.com)

Posted by BeauHD on Tuesday September 5, 2017 @11:30AM from the easy-peasy dept.

An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability. The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability." It's now a waiting game for companies to patch their systems.

42 comments

Min score:

Reason:

Sort:

Struts like a transgendered person? by Anonymous Coward · 2017-09-05 11:44 · Score: 0

Just takes one to fuck up your organization.
1. Re: Struts like a transgendered person? by Anonymous Coward · 2017-09-05 12:09 · Score: 0
  
  It's it just coincidence that the security researcher works at LGBTM Research?
Re:Yup, FOSS software sure is safe by Anonymous Coward · 2017-09-05 11:51 · Score: 1

You want a similar SAP vuln? It's been reported but the company, rather than mitigate it, said that SAP wasn't intended for use on the open internet and should be behind a VPN.
Shrug.
Re:HEY WHIPSLASH STEP INSIDE... apk by Anonymous Coward · 2017-09-05 11:53 · Score: 0

You seem upset
Re: That's what the hipsters deserve by Anonymous Coward · 2017-09-05 12:05 · Score: 0

Webshits gonna webshit..
Struts was garbage by aberglas · 2017-09-05 12:07 · Score: 0

It took a simple web page and split it over multiple config files. And it did little to help larger ones. It should never have been used. But has been considered obsolete for some time now.
1. Re:Struts was garbage by Anonymous Coward · 2017-09-05 12:47 · Score: 0
  
  It was intended for systems with hundreds or thousands of pages, so while it is a piece of crap... i'm not sure why splitting a webpage over multiple pages was a problem... particularly when the markup language could be swapped out.
  Besides, uh. CSS? javascript libs? Are you only considering the visual components or the layout?
2. Re:Struts was garbage by Gr8Apes · 2017-09-05 13:32 · Score: 2
  
  Struts was ok, considering when it was built. Struts 2 was an unmitigated disaster.
  
  --
  The cesspool just got a check and balance.
3. Re:Struts was garbage by Anonymous Coward · 2017-09-06 12:18 · Score: 0
  
  I looked at it for a while long ago but I think it was the introduction to the configuration files that made me stab myself in the eyes, close the page and delete the web browser, before burning my computer.
You'd think they'd put their money to good use! by Anonymous Coward · 2017-09-05 12:29 · Score: 0

Why can't these billion-dollar companies create a consortium to make a systematic audit of such code from start to finish? They'd all benefit enormously.
1. Re:You'd think they'd put their money to good use! by Narcocide · 2017-09-05 12:47 · Score: 2
  
  Oh, that's actually simple to answer. To the very last man, they'd all rather die than do anything that helps their competition even one tiny bit, even if they would have come out well ahead in the end. They simply don't buy into the old "a rising tide raises all ships" adage, and they're not interested enough in benevolent gestures to even invest serious time finding out it's true.
2. Re:You'd think they'd put their money to good use! by Anonymous Coward · 2017-09-05 14:44 · Score: 0
  
  because a single audit wouldn't solve the issue, 100 audits wouldn't uncover every flaw. Software development is an ongoing process, new attack methods and vectors are discovered all the time. basically audit/review needs to be a basic feature of large development but you would still have vulnerabilities being discovered regardless.
3. Re:You'd think they'd put their money to good use! by Anonymous Coward · 2017-09-05 14:53 · Score: 0
  
  No. The answer to the question is that the ones most effected by an exploit are not IT companies. They are businesses that build, buy, and use applications. Well known OS and other low level infrastructure components are assumed to be reliable and if a problem does occur they will kick the problem up to where they got it and depend on someone fixing the problem for them. There are not many corporations who will fund a group of in-house OS developers who sit around scrolling through source code. Counting on the existing in-house application developers to perform these types of duties is also a non-starter. Application and OS or low level component development require two entirely different skillsets.
4. Re:You'd think they'd put their money to good use! by Anonymous Coward · 2017-09-05 18:53 · Score: 1
  
  A rising tide raises all ships, so the other captains will have to come up with a solution and then we'll just piggy-back it.
5. Re:You'd think they'd put their money to good use! by Carewolf · 2017-09-05 19:28 · Score: 1
  
  Why can't these billion-dollar companies create a consortium to make a systematic audit of such code from start to finish? They'd all benefit enormously.
  The same reason they are using crap software in the first place. Big business is like overfed government agencies extremely incompetent and inefficient.
6. Re:You'd think they'd put their money to good use! by Anonymous Coward · 2017-09-06 04:27 · Score: 0
  
  "they are using crap software in the first place"
  How would you know? I bet it must of been a time consuming audit to reach your startling conclusion. When can we expect your roll out of non-crap software? Since you claimed the software is crap you must have the innate knowledge and experience to fix the problem. Or maybe you are just a wannabe software guru talking out his ass.
  "extremely incompetent and inefficient"
  This statement perfectly describes today's generation of morons who think being able to use Facebook and Twitter is a technical skill. The same morons who think all the problems in the world can be solved 140 characters at a time. And since governments and corporations are staffed by human beings they end up being extremely incompetent and inefficient.
7. Re:You'd think they'd put their money to good use! by Anonymous Coward · 2017-09-06 04:52 · Score: 0
  
  "they are using crap software in the first place"
  How would you know? I bet it must of been a time consuming audit to reach your startling conclusion. When can we expect your roll out of non-crap software? Since you claimed the software is crap you must have the innate knowledge and experience to fix the problem. Or maybe you are just a wannabe software guru talking out his ass.
  "extremely incompetent and inefficient"
  This statement perfectly describes today's generation of morons who think being able to use Facebook and Twitter is a technical skill. The same morons who think all the problems in the world can be solved 140 characters at a time. And since governments and corporations are staffed by human beings they end up being extremely incompetent and inefficient.
  As a software engineer with over 30 years experience .... they probably ARE using crap software. I cannot tell you how many (and it has been many) companies I have been brought into just to fix crap software that they were running and, whoa! just now discovered that it was crap software. The ancient adage is true: It's always cheaper to do over than do correctly the first time. And, NO, Agile does NOT solve that problem either.
Re:Java frameworks are polishing a turd. by Anonymous Coward · 2017-09-05 13:18 · Score: 0

Okay.
What do you recommend?
In related news.. by Anonymous Coward · 2017-09-05 13:24 · Score: 0

Apparently people still use Struts
Re:Java frameworks are polishing a turd. by Gr8Apes · 2017-09-05 13:38 · Score: 1

I'll bet you use more than you say, unless you wrote your own servers. Which is possible, I've done more than one of those. Java isn't the problem, and the GP that only has been exposed to Struts 2 and Spring, well, yes, he'd likely think those two things are Java when they're only minor frameworks used for one small subset of things people do with Java, no matter what the appearance is.

--
The cesspool just got a check and balance.
I don't think a robot will take my job... by Anonymous Coward · 2017-09-05 13:42 · Score: 0

I'm getting paid for screwing my boss's wife.
1. Re:I don't think a robot will take my job... by Anonymous Coward · 2017-09-05 14:46 · Score: 0
  
  vibrators have existed for a long time, More efficient, safer and do the job better and faster.
Re:Yup, FOSS software sure is safe by chipschap · 2017-09-05 13:59 · Score: 1

And besides it's already been fixed. Ever seen Windows fixed that fast when a vulnerability is found? I didn't think so.
THIS HAPPENED IN JUNE by Anonymous Coward · 2017-09-05 16:27 · Score: 0

It's fucking September guys
Re:Yup, FOSS software sure is safe by Big+Hairy+Ian · 2017-09-05 23:19 · Score: 2

When the whole world can scour the code to find vulns, it has to be safe, right? Nobody will find those obscure bugs and use them for nefarious purposes, nope, never happen.
Because you'd rather only know about this shit when the NSA gets hacked??

--
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Was already patched! by Anonymous Coward · 2017-09-05 23:45 · Score: 0

'The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability"'
Sounds like only people who didn't keep up with security bulletins would be affected.
On another note, 12 hours go by and only troll posts? What the fuck is happening to Slashdot...
1. Re:Was already patched! by bill_mcgonigle · 2017-09-06 03:39 · Score: 1
  
  Sounds like only people who didn't keep up with security bulletins would be affected.
  Well, Java devs tend to bundle libraries instead of loading them dynamically so these can be quite hard to patch without a security person on a CI team.
  On another note, 12 hours go by and only troll posts? What the fuck is happening to Slashdot...
  It's almost 2018 and we still have to wait five minutes between posts and there's no unicode support. The kinds of things that make Facebook and Reddit unpopular.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Struts is useful for one thing today... by DeplorableCodeMonkey · 2017-09-06 00:58 · Score: 1

Screening out new hires. We had a candidate say he'd use Struts for a new project, and that was 2015. Needless to say, he never dug out of that rut in the interview. Any non-junior Java application developer who doesn't have Grails, Play, Spring Boot or DropWizard experience is an automatic "don't hire, next" for every Java team I have met that was halfway decent or better.
Re:HEY WHIPSLASH STEP INSIDE... apk by Anonymous Coward · 2017-09-06 01:26 · Score: 0

You still here?
Sanitize your inputs by davecason · 2017-09-06 01:30 · Score: 1

Back-end commands being absorbed through the front end... again: https://xkcd.com/327/
I am - whipslash Logan Abbott isn't... apk by Anonymous Coward · 2017-09-06 10:26 · Score: 0

I am - whipslash Logan Abbott isn't - go figure! He knows he'd lose my bet that my screenshots are REAL unedited fact. Slashdot doesn't delete posts, eh? WRONG!
APK
P.S.=> What a pack of cheating liars - unbelievable! Between bogus "downmodpoints" I always run fools dry of in the end, libeling me, threatening me, harassing & stalking me by UNIDENTIFIABLE posts? No small wonder the world is what it is out there, today (pitiful populated by little cowardly worms & "ne'er-do-well" do-nothings on welfare or heroin)... apk
1. Re:I am - whipslash Logan Abbott isn't... apk by Anonymous Coward · 2017-09-06 12:21 · Score: 0
  
  Have you stopped taking your meds?
  Calm the fuck down, breath in a paper bag or whatever.
Mad Gadget by jesuscyborg · 2017-09-07 20:24 · Score: 1

The Mad Gadget vulnerability strikes again. https://opensource.googleblog....