The difficulty with patching deserialization vulnerabilities11th September 2017
Last week, it was reported that a possible cause behind the Equifax data breach was a vulnerability in the Apache Struts REST plugin. The older version of the plugin is vulnerable to Remote Code Execution attacks when it is used with XStream handler to handle XML payloads. The cause is deserialization of untrusted data, which is a well-known vulnerability type. The vulnerability, officially recognized as CVE-2017-9805, was patched by Apache September 5th in the Struts version 2.5.13. It was then announced and clearly documented in the Apache Struts documentation.
Simply upgrading to the newest Struts version can protect the application from this attack, so why do companies not upgrade immediately? The problem with deserialization vulnerabilities is that the routines that are being exploited are often those that the application code relies on. In this case, applying the new Struts patch might have some side effects, as the documentation on the vulnerability mentions, "It is possible that some REST actions stop working because of applied default restrictions on available classes." It is very likely that making sure the application keeps working on newer versions of Struts takes some time.
Hackers, however, do not need as much time to start abusing published vulnerabilities, and we can already see some exploits published. A Metasploit module was added September 8th, that's three days after Apache patched the vulnerability. Postponing your patch is clearly not a good idea!
The solution is to implement a workaround suggested by Apache, which could be done in a shorter time frame. A security tool with configurable coding guidelines to enforce this workaround or even automatically apply it would greatly speed up this process.
Do you want to know more about how to identify and secure code that contains deserialization of untrusted data? Visit the Secure Code Warrior portal for a clear explanation and a training challenge.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.