https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-logo.png
Banking Technology
    • Newsletter
  • Home
  • Technologies
    • Back
    • Analytics
    • Cloud
    • Data Centers
    • Desktop
    • IoT
    • Mobility
    • Networking
    • Open Source
    • RMM/PSA
    • Security
    • Virtualization
    • Voice/Connectivity
  • Strategy
    • Back
    • Best Practices
    • Business Models
    • Channel Programs
    • Channel Research
    • Digital Transformation
    • Leadership
    • Mergers and Acquisitions
    • Sales & Marketing
    • Specialty Practices
  • MSSP Insider
    • Back
    • Business of Security
    • Cloud and Edge
    • Endpoint
    • Network
    • People and Careers
    • Training and Policies
  • MSP 501
  • Intelligence
    • Back
    • Content Resources
    • From the Industry
    • Galleries
    • Our Sponsors
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • Think Tank
  • Awards
    • Back
    • Circle of Excellence
    • Digi Awards
    • MSP 501 Rankings
    • Talkin’ Cloud 100
  • Events
    • Back
    • CP Conference & Expo
    • Channel Partners Evolution
  • More
    • Back
    • About Us
    • Advertise on Channel Futures
    • Contact Us
    • Editorial Calendar
  • MSPs
  • VARs / SIs
  • Digital Service Providers
  • Cloud Service Providers
  • CHANNEL PARTNERS ONLINE
  • Home
  • Technologies
    • Back
    • Analytics
    • Cloud
    • Data Centers
    • Desktop
    • IoT
    • Mobility
    • Networking
    • Open Source
    • RMM/PSA
    • Security
    • Virtualization
    • Voice/Connectivity
  • Strategy
    • Back
    • Best Practices
    • Business Models
    • Channel Programs
    • Channel Research
    • Digital Transformation
    • Leadership
    • Mergers and Acquisitions
    • Sales & Marketing
    • Specialty Practices
  • MSSP Insider
    • Back
    • Business of Security
    • Cloud and Edge
    • Endpoint
    • Network
    • People and Careers
    • Training and Policies
  • MSP 501
  • Intelligence
    • Back
    • Content Resources
    • From the Industry
    • Galleries
    • Our Sponsors
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • Think Tank
  • Awards
    • Back
    • Circle of Excellence
    • Digi Awards
    • MSP 501 Rankings
    • Talkin’ Cloud 100
  • Events
    • Back
    • CP Conference & Expo
    • Channel Partners Evolution
  • More
    • Back
    • About Us
    • Advertise on Channel Futures
    • Contact Us
    • Editorial Calendar
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Digital Service Providers
  • Cloud Service Providers
  • CHANNEL PARTNERS ONLINE
 Channel Futures

Security


Software patch

Apache Struts 2 Users Urged to Patch Critical Security Vulnerability

  • Written by Todd R. Weiss
  • August 23, 2018
Patched code is available to protect against possible remote code execution attacks, but more vulnerabilities could still exist.

Users should immediately patch a “critical” remote code execution security vulnerability in the open-source Apache Struts 2 Java application development framework to protect against potentially harmful attacks.

The vulnerability, reported by Man Yue Mo from Semmle Security Research, can allow possible remote code execution (RCE) by an attacker, according to an announcement from the Apache Software Foundation.

Affected are Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16.

The RCE attack can successfully occur “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace,” according to Man Yue Mo’s report. “Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”

All Struts 2 developers and users should immediately upgrade their Apache Struts applications to version 2.3.35 or 2.5.17 to protect against the latest vulnerability, according to the Apache Software Foundation. Both new versions 2.3.35 and 2.5.17 contain the security fixes only, and no backward incompatibility issues are expected, Apache said.

Users should also verify that they have set the namespace for all defined results in underlying configurations to block attackers and should also verify that they have set value or action for all url tags in their JavaServer Pages.

“Both are needed only when their upper action(s) configurations have no or wildcard namespace.”

In its own announcement about the vulnerability, Semmle Research said that “organizations and developers who use Struts are urgently advised to upgrade their Struts components immediately. Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk.”

The vulnerability is located in the core of Apache Struts and all applications that use Struts are potentially vulnerable, even when no additional plug-ins have been enabled.

Remote code execution vulnerabilities are the most severe type of security issue because they allow attackers to take control of a vulnerable system, giving them an entry point into corporate networks where infrastructure and data can be placed at risk, Semmle said. 

Struts applications are more vulnerable because they don’t require any existing privileges for an attack to be launched against them and because it’s often easy for an attacker to assess whether an application is vulnerable.

“This vulnerability affects commonly used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,” Man Yue Mo said. “On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past. On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September.”

Brian Fox, the CTO of open-source security vendor Sonatype and an active member and code committer with the Apache Software Foundation, told Channel Futures that Man Yue Mo’s research also found that other potential threat scenarios could exist in the code outside the ones addressed by the new patches.

“It means you can’t let your guard down for more potential upgrades in the future,” said Fox.

Brian Fox

By updating Struts 2 versions to the new code, users can close the attack opportunities today, he said.

“But given that it’s a remote exploit, merely updating doesn’t mean you are off the hook.”

Companies and users then must assess their systems to see if any damage has been done by any attackers, including whether any back doors have been installed, he said.

“If they look at their configurations and determine they are potentially vulnerable, they will want to look at their logs to see if they are having any unusual behavior in the systems.”

Amy DeMartine, an analyst with Forrester, said that to prevent such attacks, it’s recommended that all websites be protected by runtime protection tools such as a web application firewall (WAF), as well as a runtime application self-protection tool (RASP). 

Amy DeMartine

“However, you never want that to be your only protection — we recommend a zero-trust architecture where there is no network perimeter to protect applications and the data they use and create,” she said. “And fixing the affected systems is the best protection of all and reduces any lag time that runtime protection takes to remediate issues in real time. In many firms, not all websites have runtime protection either because they aren’t deemed critical or because they aren’t visible to the security team.”

That’s not a good practice, she said, because it means the systems will not have runtime protection and might not be patched. 

“For those organizations who want to move to being proactive and not reactive (Struts 2 has a laundry list of vulnerabilities associated with it), software composition analysis tools (SCA) can scan applications before they are released, showing which components are vulnerable so that they are fixed in development,” said DeMartine. “Additionally, most SCA vendors will proactively notify a company if they have a newly identified vulnerable component for faster and targeted patching.”

Open-source users should also work hard to keep up to date on the versions of open source components they use because fixes are usually only provided on a few versions, she said.

“With the success of the Equifax breach, it’s likely that malicious attackers will be excited to see another Struts 2 vulnerability,” said DeMartine. “Firms can employ such tools as security analytics platforms to speed detection, investigation and response to threats. Vendors such as BAE Systems, E8 Security, Fortinet, Hewlett Packard Enterprise (HPE), Huntsman Security, IBM, Intel Security, LogRhythm, RSA, Securonix and Splunk all have security analytics platforms.” 

Tags: Cloud Service Providers Digital Service Providers MSPs VARs/SIs Open Source Security Strategy Technologies

Related


  • HP Monitor
    HP Adds Partner Perk for Display and Accessories Sales
    HP doubles incentives on monitors and displays for eligible partners.
  • Big Data
    SUSE Linux Adds Support for Intel Persistent Memory on SAP HANA
    New abilities to support Intel Optane persistent memory.
  • Business Commitment, Teamwork
    New Commvault CEO, an EMC, Microsoft Vet, Stresses Channel Commitment
    "Partners have been at the core of how I've done business all through my career," said the new CEO.
  • Network servers in data center
    Beyond PCs: Lenovo Makes Big Data Center Strides with Partners
    Storage is a big focus in 2019 for Lenovo Data Center Group partners.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • How to Mitigate IoT Security Risks
  • Awake Security Partner Integrations Benefit MSSPs, MSPs
  • IT Glue 2018 Global MSP Benchmark Report
  • IoT Is Complicated, But Building an IoT Practice Doesn’t Have to Be

From the Industry


Sponsor Content

A 2019 Update on RDP Ransomware

February 14, 2019
Sponsor Content

This Valentine’s Day, Give the Gift of IT Education

February 14, 2019
Sponsor Content

XO Is in the Air

February 11, 2019
view all

Galleries


MSPs On … Struggles with the Skills Shortage

February 15, 2019
view all

Webinars


Sponsor Content

Double Your Revenue with Backup and DRaaS

February 12, 2019
Sponsor Content

UCaaS 101: Building a Unified Communications as a Service Practice

December 4, 2018
view all

White Papers


Sponsor Content

A Business Owner’s Guide to Cybersecurity

February 6, 2019
Sponsor Content

The Seven Types of Power Problems

February 6, 2019
Sponsor Content

The Lean MSP

January 29, 2019
view all

Videos


Sponsor Content

Video: Ivanti Unified IT: Automate Service Requests

January 14, 2019
Sponsor Content

Linksys Cloud Manager Tutorial – Dashboard Overview

January 13, 2019
Sponsor Content

Linksys Cloud Manager Tutorial – How to Set Up a Network, Access Points, and SSID

January 13, 2019
view all

Twitter


ChannelFutures

.@CenturyLinkBiz embraces new stricter @awscloud #MSP partner requirements. goo.gl/fb/WwDzco

February 15, 2019
ChannelFutures

.@ISC2 announces new #cybersecurity continuing education program. goo.gl/fb/nWbJY1

February 15, 2019
ChannelFutures

We asked 7 #MSP501 partners about their frustrations with finding good talent. @BowmanWilliams goo.gl/fb/fyzLLj

February 15, 2019
ChannelFutures

.@LenovoDC sees a strong year ahead for partners with a hard focus on #storage. goo.gl/fb/xvtYKp

February 15, 2019
ChannelFutures

.@Nvidia brings virtual #GPU workstation as a service to #Azure Marketplace, also planned for #WVD. goo.gl/fb/SpCCBx

February 15, 2019
ChannelFutures

.@googlecloud gets a boost via a larger salesforce, $13 billion in #datacenter investments. goo.gl/fb/vfnwhb

February 15, 2019
ChannelFutures

.@IBM is making its #Watson #AI services available on @awscloud @Azure and other cloud platforms. goo.gl/fb/mx7itA

February 15, 2019
ChannelFutures

.@KaseyaCorp releases 2019 #MSP Benchmarking study. We get insights from @jimlippie. goo.gl/fb/kZfPZS

February 15, 2019

MSSP Insider

Newsletters and Updates

Sign up for the Doyle Report, Channel Futures Update, MSP 501 Update and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Channel Partners Online

Want more? Find more channel news and analysis on our sister site, Channel Partners.

Media Kit And Advertising

Want to reach our audience? Access our media kit

Channel Futures

© Channel Futures 2019. All rights reserved.

  • About Us
  • Contact Us

Related Links

  • Privacy Policy
  • Terms of Service

Follow us

Websites are now required by law to gain your consent before applying cookies. We use cookies to improve your browsing experience. Parts of the website may not work as expected without them. By closing or ignoring this message, you are consenting to our use of cookies.
X