The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) recently released a list of the top 10 most commonly exploited software vulnerabilities across the last four years.
Apache Struts was the second most attacked technology on the list. Apache Struts is an open source web application framework for developing Java EE web applications. While it made headlines as the root cause within the Equifax breach, it was also tied to six other breaches that year and in years since.
Adversaries breached web applications at Equifax and six other organizations that relied on the Struts framework. Breaches occurred within three days of the vulnerability being announced.
According to Wikipedia:
[Struts 2] uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. Struts 2 has a history of critical security bugs, many tied to its use of OGNL technology; some vulnerabilities can lead to arbitrary code execution. It was reported that failure by Equifax to address a Struts 2 vulnerability advised in March 2017 was later exploited in the data breach that was disclosed by Equifax in September 2017.
Note that this Struts CVE is dated back to 2017, yet CISA and the FBI classify it as one of the most successful breach entry points by adversaries. It has not only been known to be vulnerable since 2017, but known safe versions of Struts were made available on the same day in 2017 that this vulnerability was announced. In other words, the breaches were 100% avoidable if the development teams took the effort to update their Struts framework.
Vulnerable Versions of Struts Are Still Downloaded
Three years after the Equifax and other Struts related breaches, downloads of vulnerable Struts versions are still on the rise. A year ago, monthly vulnerable (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by April Downey. Read the original post at: https://blog.sonatype.com/department-of-homeland-security-cybersecurity-top-10-vulnerabilities-still-being-exploited