[BreachExchange] Watch Out! Another Nasty Apache Struts Vulnerability Has Been Disclosed!

[Destry Winant]

https://www.riskbasedsecurity.com/2018/08/watch-out-another-nasty-apache-struts-vulnerability-has-been-disclosed/

Here we go again! Today, a brand new Apache Struts vulnerability (CVE
2018-11776) has been disclosed that can result in remote code
execution. Sure, the patch is out there, but this one is a CVSSv2 10.0
or “Critical” issue which for many organization this should mean it is
a full stop, all hands on deck to get things patched. While full
technical details are minimal so far, we have managed to aggregate
some useful info for our VulnDB customers.

Even though this issues has just been disclosed, VulnDB already has
rated the ‘Social Risk Score’ is as High. This means that based on the
already strong social media presence discussing the vulnerability, the
odds of active exploitation will be higher than average. You may also
notice that we currently classify this as “Exploit Unknown”. In
reality, we’re fairly sure that a proof-of-concept exists for this,
that was shared with the Apache team as part of the initial disclosure
to them. When we see evidence of a public proof-of-concept, a full
working exploit, or active exploitation, this will be updated. An
important aspect of vulnerability intelligence is not just getting the
information out there quickly, but to keep it updated with the latest
details.

It is a shame that we feel the need to blog about yet another critical
vulnerability, since every organization should have a reliable
vulnerability intelligence feed. Unfortunately, this disclosure
reminds us of last year, when Equifax was compromised due to a
vulnerability in the same software (dubbed ‘Struts-shock’). We blogged
extensively on that incident since it hit the world of vulnerability
disclosure and data breaches, our two specialties. Like last year’s
vulnerability, the disclosure today is almost identical as far as the
severity, software affected, and potential for organizations to get
hit hard.

When we say “another critical vulnerability”, we refer to the fact
there have been 1,426 vulnerabilities disclosed in 2018 alone, with a
CVSSv2 score of 10.0. While many of those scores are simply due to a
lack of details and CVSS guidelines that say “score for the worst
impact”, many of them are truly critical. Even worse, 500 of those
vulnerabilities don’t even have a CVE ID. Organizations relying on CVE
or NVD will find themselves hard-pressed to properly manage risk.
Fortunately for those organizations, this new Apache Struts
vulnerability does have a CVE ID, and MITRE has already opened it up
in their database! Unfortunately, NVD has it marked as ‘RECEIVED’
which means it is “has been received by the NVD and has not been
analyzed”. Due to their backlog, vulnerabilities in this status can
take up to 12 weeks before being “analyzed”, which means NVD assigns
CPE and CVSS information to it.

The headlines last year roasted Equifax over the breach because the
vulnerability used to compromise them was publicly known for weeks
before they patched. It is easy to jump on the bandwagon and hate on
Equifax, but it is important to remember that they were just one of
3,813 organizations that suffered a data breach last year as a result
of external hacks! This year, our CRA team is already tracking 1,419
breaches due to external hacking.

For organizations who may say “well we don’t use Apache Struts, we’re
safe!”, we want to remind you that Apache Struts is a third-party
library of sorts and can be found in numerous high-profile products.
Last year’s ‘Struts-shock’ vulnerability ended up impacting a wide
variety of software including:

- Atlassian Bamboo, Crowd, and Hipchat
- Cisco Identity Services Engine, Prime License Manager, MediaSense,
SocialMiner, Unified Communications Manager products, and many more.
- Hitachi HiRDB products
- IBM Connections, SAN Volume Controller, Storwize products, and more
- MicroFocus Universal CMDB Foundation
- Oracle Financial Services products and many more
- VMware vCenter Server and more

This type of vulnerability is a great reminder that using asset-based
inventory for vulnerability tracking, especially in large
organizations, is incredibly more efficient than classic vulnerability
scans. That approach, leveraging a timely and robust vulnerability
intelligence feed, will allow your organization to more quickly
respond to threats and manage risk.