The Apache Struts 2 web application fell victim to hackers at the start of March. Though the issue is no longer there, it served as another reminder to coders, developers and end users how important vigilance and security are in today’s online world.
According to the reports, a vulnerability in the Jakarta file upload multipart parser has allowed hackers to inject commands of their choice into the framework and execute malicious acts. With 48 hours, a team of experts overseeing the open source project had patched the vulnerability and issued a solution and a workaround. After discovering the vulnerability in Struts versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10, the patch was released, and users were advised to update to 2.3.32 or 188.8.131.52.
Workaround was required before the patch
For those who could not or had not updated, cwiki.apache.org suggested the following workaround:
“Implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data.”
As it stands, the issue is now under control, but those using the web application that failed to update or use the workaround are still vulnerable. From a developer’s perspective, the incident has highlighted the need not only to be thorough when reviewing code but also the importance of being able to react in a real time.
Indeed, attacks on the system continued days after the patch was released. As parts of the framework were updating, hackers were able to continue exploiting the weakness that forced those using the framework for their Java-based applications to use the workaround until the vulnerability was fully patched.
Web application firewall – An industry necessity
In a bid to protect users with access to apps using the framework, many vendors updated their web application firewall rules to block malicious requests. This collaboration with developers and security vendors has become crucial in recent years. Moreover, thanks to cloud-based firewalls offering real-time protection, users have experienced better protection rates.
Indeed, as highlighted by Incapsula, crowdsourcing techniques for web application firewalls have allowed security vendors to aggregate big-data analytics in a real time as well as “simultaneously apply mitigation rules”. By collecting data from multiple sources, these cloud-based firewalls have helped reduce the time between a threat being detected and rules being implemented to block them.
Do not sleep on security
However, as useful as the latest security options are, the Apache Struts 2 attack has also shown that those on the back-end also need to be alert to impending and current dangers. Without implementing the workaround, some apps could have remained vulnerable while the patches were being put into place.
In this instance, if a company using an app that did not have a web application firewall in place with the necessary rules to block any attacks, it could leave users at risk. To mitigate this risk, developers need to stay on top of their game and ensure any exploits are tackled in the appropriate way. Although the latest incident has not caused too much damage beyond the confines of the coding community, it should serve as a timely reminder that security can never be taken for granted in today’s world.
The author is an open source enthusiast.