Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Critical Apache Struts Security Flaw Makes It 'Easy' To Hack Fortune 100 Firms (zdnet.com)

Posted by BeauHD on from the easy-peasy dept.

An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability. The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability." It's now a waiting game for companies to patch their systems.

42 comments

  1. Yup, FOSS software sure is safe by Anonymous Coward · · Score: -1

    When the whole world can scour the code to find vulns, it has to be safe, right? Nobody will find those obscure bugs and use them for nefarious purposes, nope, never happen.

    1. Re:Yup, FOSS software sure is safe by Anonymous Coward · · Score: 1

      You want a similar SAP vuln? It's been reported but the company, rather than mitigate it, said that SAP wasn't intended for use on the open internet and should be behind a VPN.

      Shrug.

    2. Re:Yup, FOSS software sure is safe by chipschap · · Score: 1

      And besides it's already been fixed. Ever seen Windows fixed that fast when a vulnerability is found? I didn't think so.

    3. Re:Yup, FOSS software sure is safe by Big+Hairy+Ian · · Score: 2

      When the whole world can scour the code to find vulns, it has to be safe, right? Nobody will find those obscure bugs and use them for nefarious purposes, nope, never happen.

      Because you'd rather only know about this shit when the NSA gets hacked??

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  2. Struts like a transgendered person? by Anonymous Coward · · Score: 0

    Just takes one to fuck up your organization.

    1. Re: Struts like a transgendered person? by Anonymous Coward · · Score: 0

      It's it just coincidence that the security researcher works at LGBTM Research?

  3. amazing by Anonymous Coward · · Score: -1

    3 posts in a row dealing with tech things, instead of politics or other inane subjects. I wonder how long the streak will go

  4. HEY WHIPSLASH STEP INSIDE... apk by Anonymous Coward · · Score: -1

    See subject: Just so I can HUMILIATE your sorry trustfund baby ass for lying douchebag (about /. deleting posts) https://yro.slashdot.org/comme...

    * See, I've got the screenshots to PROVE you're a liar fucker... & I've FLAT OUT BET YOU 1 MILLION U.S. Dollars over it scumbag https://hardware.slashdot.org/comments.pl?sid=11077439&cid=55144377/ bitch.

    YOU NEVER DELETE POSTS ON /.? YOU JUST DELETED 6 of MINE loser... scared, bitch? Yes, obviously.

    APK

    P.S.=> How does it FEEL being stone cold caught in your LIES, little douchebag? I am going to have a FIELD DAY with you on this, lol... apk

    1. Re:HEY WHIPSLASH STEP INSIDE... apk by Anonymous Coward · · Score: 0

      You seem upset

    2. Re:HEY WHIPSLASH STEP INSIDE... apk by Anonymous Coward · · Score: 0

      You still here?

  5. That's what the hipsters deserve by Anonymous Coward · · Score: -1

    All the javarasts, restarasts and other hipsters are getting what they deserve. The web should have always stayed for one way information transfer. The way information transfer and applications should have always been performed locally by optimized native applications using 30Mb ram and not being larger than 40mb on disk.

    1. Re: That's what the hipsters deserve by Anonymous Coward · · Score: 0

      Webshits gonna webshit..

  6. Struts was garbage by aberglas · · Score: 0

    It took a simple web page and split it over multiple config files. And it did little to help larger ones. It should never have been used. But has been considered obsolete for some time now.

    1. Re:Struts was garbage by Anonymous Coward · · Score: 0

      It was intended for systems with hundreds or thousands of pages, so while it is a piece of crap... i'm not sure why splitting a webpage over multiple pages was a problem... particularly when the markup language could be swapped out.

      Besides, uh. CSS? javascript libs? Are you only considering the visual components or the layout?

    2. Re:Struts was garbage by Gr8Apes · · Score: 2

      Struts was ok, considering when it was built. Struts 2 was an unmitigated disaster.

      --
      The cesspool just got a check and balance.
    3. Re:Struts was garbage by Anonymous Coward · · Score: 0

      I looked at it for a while long ago but I think it was the introduction to the configuration files that made me stab myself in the eyes, close the page and delete the web browser, before burning my computer.

  7. HEY WHIPSLASH STEP INSIDE... apk by Anonymous Coward · · Score: -1

    See subject: Just so I can HUMILIATE your sorry trustfund baby ass for lying douchebag (about /. deleting posts) https://yro.slashdot.org/comme...

    * See, I've got the screenshots to PROVE you're a liar fucker & I've FLAT OUT BET YOU 1 MILLION U.S. Dollars over it scumbag https://hardware.slashdot.org/comments.pl?sid=11077439&cid=55144377/ bitch.

    YOU NEVER DELETE POSTS ON /.? YOU JUST DELETED 6 of MINE loser... scared, bitch? Yes, obviously.

    DOWNMOD ME ALL DAY, EVERYONE SEES IT "Forrest" https://apache.slashdot.org/comments.pl?sid=11077485&cid=55144819/ & RUN, Forrest (lmao).

    I'm FAR from upset - I'm laughing & I pity Logan Abbott/whipslash (the owner here).

    I want that bitch Logan Abbott to either make GOOD on a FAIR bet I am putting forth to him directly, or to SEE HIM RUN MORE, lol!

    APK

    P.S.=> How does it FEEL being stone cold caught in your LIES, little douchebag? I am going to have a FIELD DAY with you on this, lol... apk

  8. You'd think they'd put their money to good use! by Anonymous Coward · · Score: 0

    Why can't these billion-dollar companies create a consortium to make a systematic audit of such code from start to finish? They'd all benefit enormously.

    1. Re:You'd think they'd put their money to good use! by Narcocide · · Score: 2

      Oh, that's actually simple to answer. To the very last man, they'd all rather die than do anything that helps their competition even one tiny bit, even if they would have come out well ahead in the end. They simply don't buy into the old "a rising tide raises all ships" adage, and they're not interested enough in benevolent gestures to even invest serious time finding out it's true.

    2. Re:You'd think they'd put their money to good use! by Anonymous Coward · · Score: 0

      because a single audit wouldn't solve the issue, 100 audits wouldn't uncover every flaw. Software development is an ongoing process, new attack methods and vectors are discovered all the time. basically audit/review needs to be a basic feature of large development but you would still have vulnerabilities being discovered regardless.

    3. Re:You'd think they'd put their money to good use! by Anonymous Coward · · Score: 0

      No. The answer to the question is that the ones most effected by an exploit are not IT companies. They are businesses that build, buy, and use applications. Well known OS and other low level infrastructure components are assumed to be reliable and if a problem does occur they will kick the problem up to where they got it and depend on someone fixing the problem for them. There are not many corporations who will fund a group of in-house OS developers who sit around scrolling through source code. Counting on the existing in-house application developers to perform these types of duties is also a non-starter. Application and OS or low level component development require two entirely different skillsets.

    4. Re:You'd think they'd put their money to good use! by Anonymous Coward · · Score: 1

      A rising tide raises all ships, so the other captains will have to come up with a solution and then we'll just piggy-back it.

    5. Re:You'd think they'd put their money to good use! by Carewolf · · Score: 1

      Why can't these billion-dollar companies create a consortium to make a systematic audit of such code from start to finish? They'd all benefit enormously.

      The same reason they are using crap software in the first place. Big business is like overfed government agencies extremely incompetent and inefficient.

    6. Re:You'd think they'd put their money to good use! by Anonymous Coward · · Score: 0

      "they are using crap software in the first place"
      How would you know? I bet it must of been a time consuming audit to reach your startling conclusion. When can we expect your roll out of non-crap software? Since you claimed the software is crap you must have the innate knowledge and experience to fix the problem. Or maybe you are just a wannabe software guru talking out his ass.

      "extremely incompetent and inefficient"
      This statement perfectly describes today's generation of morons who think being able to use Facebook and Twitter is a technical skill. The same morons who think all the problems in the world can be solved 140 characters at a time. And since governments and corporations are staffed by human beings they end up being extremely incompetent and inefficient.

    7. Re:You'd think they'd put their money to good use! by Anonymous Coward · · Score: 0

      "they are using crap software in the first place"
      How would you know? I bet it must of been a time consuming audit to reach your startling conclusion. When can we expect your roll out of non-crap software? Since you claimed the software is crap you must have the innate knowledge and experience to fix the problem. Or maybe you are just a wannabe software guru talking out his ass.

      "extremely incompetent and inefficient"
      This statement perfectly describes today's generation of morons who think being able to use Facebook and Twitter is a technical skill. The same morons who think all the problems in the world can be solved 140 characters at a time. And since governments and corporations are staffed by human beings they end up being extremely incompetent and inefficient.

      As a software engineer with over 30 years experience .... they probably ARE using crap software. I cannot tell you how many (and it has been many) companies I have been brought into just to fix crap software that they were running and, whoa! just now discovered that it was crap software. The ancient adage is true: It's always cheaper to do over than do correctly the first time. And, NO, Agile does NOT solve that problem either.

  9. Not @ all - I'm willing to bet a million by Anonymous Coward · · Score: -1

    See subject & what the "staff" (whipslash) is downmodding to HIDE from you https://apache.slashdot.org/comments.pl?sid=11077485&cid=55144819/

    * Hey "Forrest" (Logan Abbott/whipslash) YOU ARE RUNNING!

    Completely FAIR bet pal & I don't think you have REAL wealth to back it (only paper bs you can't liquidate) chicken (you're already proven a liar so I guess "your kind" just doesn't care, you just bs everyone - pitiful & yes, I pity you whipslash).

    APK

    P.S.=> I truly DO wonder how someone like YOU can live w/ yourself... apk

  10. Java frameworks are polishing a turd. by Anonymous Coward · · Score: -1

    Java is a shit language. It's best feature is static type safety, and it honestly doesn't do that very well. Then they try to fix the limitations by building these huge, stupid frameworks on top of it. Struts is used everywhere for years despite being shithouse. Then people go "OMG Struts was so bad, let's use Spring instead - it's the best!" except Spring is only good compared to shit like Struts, it's not actually good. It gets worse and worse, actually, encouraging lazy, thoughtless, "automagic" programming where you type in reams of scattered incantations until the app is working in the limited cases you've tested, having spent days and days debugging weird behaviour caused by the incomplete abstraction of the framework.

    I have no idea how anyone reasons about large applications using Java frameworks. I suspect that most don't actually reason about them at all, just plough on to the next feature leaving behind bugs and security holes with such careful analysis as "it worked for me" and "the tests pass".

    I truly wonder what programming would be like today if people hadn't doubled down on polishing the turd that is Java.

    1. Re:Java frameworks are polishing a turd. by Anonymous Coward · · Score: 0

      Okay.

      What do you recommend?

    2. Re:Java frameworks are polishing a turd. by roman_mir · · Score: -1

      So, Java, the language (and do you include the JVM into 'Java') is a piece of shit because many people tried hard to build frameworks (many shitty frameworks at that) on top of it?

      My systems run on Java and we use no frameworks at all, only tier separation standard, no auto-magic, I like it exactly that way and it works as it is supposed to.

      --
      You can't handle the truth.
    3. Re:Java frameworks are polishing a turd. by Gr8Apes · · Score: 1

      I'll bet you use more than you say, unless you wrote your own servers. Which is possible, I've done more than one of those. Java isn't the problem, and the GP that only has been exposed to Struts 2 and Spring, well, yes, he'd likely think those two things are Java when they're only minor frameworks used for one small subset of things people do with Java, no matter what the appearance is.

      --
      The cesspool just got a check and balance.
    4. Re: Java frameworks are polishing a turd. by Anonymous Coward · · Score: -1

      > What do you recommend?

      Elixir.

      Java Frameworks try to design around the fact that Java as a language is a poor fit for web from the get go.

      Go with a language intended for the problem, rather than trying to fit a square peg in a round hole which was thus never going succeed, unless you consider success to be living in denial of Java's unsuitability until eventually the programmer masses point out that the emperor has no clothes so that overnight we all agree Java was a shit choice in the first place.

  11. In related news.. by Anonymous Coward · · Score: 0

    Apparently people still use Struts

  12. I don't think a robot will take my job... by Anonymous Coward · · Score: 0

    I'm getting paid for screwing my boss's wife.

    1. Re:I don't think a robot will take my job... by Anonymous Coward · · Score: 0

      vibrators have existed for a long time, More efficient, safer and do the job better and faster.

  13. THIS HAPPENED IN JUNE by Anonymous Coward · · Score: 0

    It's fucking September guys

  14. Was already patched! by Anonymous Coward · · Score: 0

    'The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability"'

    Sounds like only people who didn't keep up with security bulletins would be affected.

    On another note, 12 hours go by and only troll posts? What the fuck is happening to Slashdot...

    1. Re:Was already patched! by bill_mcgonigle · · Score: 1

      Sounds like only people who didn't keep up with security bulletins would be affected.

      Well, Java devs tend to bundle libraries instead of loading them dynamically so these can be quite hard to patch without a security person on a CI team.

      On another note, 12 hours go by and only troll posts? What the fuck is happening to Slashdot...

      It's almost 2018 and we still have to wait five minutes between posts and there's no unicode support. The kinds of things that make Facebook and Reddit unpopular.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  15. Struts is useful for one thing today... by DeplorableCodeMonkey · · Score: 1

    Screening out new hires. We had a candidate say he'd use Struts for a new project, and that was 2015. Needless to say, he never dug out of that rut in the interview. Any non-junior Java application developer who doesn't have Grails, Play, Spring Boot or DropWizard experience is an automatic "don't hire, next" for every Java team I have met that was halfway decent or better.

  16. Sanitize your inputs by davecason · · Score: 1

    Back-end commands being absorbed through the front end... again: https://xkcd.com/327/

  17. I am - whipslash Logan Abbott isn't... apk by Anonymous Coward · · Score: 0

    I am - whipslash Logan Abbott isn't - go figure! He knows he'd lose my bet that my screenshots are REAL unedited fact. Slashdot doesn't delete posts, eh? WRONG!

    APK

    P.S.=> What a pack of cheating liars - unbelievable! Between bogus "downmodpoints" I always run fools dry of in the end, libeling me, threatening me, harassing & stalking me by UNIDENTIFIABLE posts? No small wonder the world is what it is out there, today (pitiful populated by little cowardly worms & "ne'er-do-well" do-nothings on welfare or heroin)... apk

    1. Re:I am - whipslash Logan Abbott isn't... apk by Anonymous Coward · · Score: 0

      Have you stopped taking your meds?
      Calm the fuck down, breath in a paper bag or whatever.

  18. Mad Gadget by jesuscyborg · · Score: 1

    The Mad Gadget vulnerability strikes again. https://opensource.googleblog....