Common Vulnerability Exposures

Question :

Question to answer: Based on your existing knowledge and the CVE unit resources, what do you think these code examples are trying to accomplish? What is the flaw in Apache Struts that is allowing these exploits to work? 

Question to answer: You are on the team tasked with fixing this Struts error for your organization. What sort of information do you need to gather before creating your plan of action? What can go wrong if you don’t have all the information gathered?

Question to answer: How angry are you at Equifax for allowing this vulnerability to remain unpatched for so long? Why do you think the patching was delayed? What would you have done differently?

Answer :

CVE stands for Common Vulnerabilities and Exposures. It works as the free dictionary toidentify vulnerabilities in software and firmware for the improvement of the security of the organization. 

Explanation of the code out of the CVE

Apache struts are the framework of an open-source, free, MVC structure that enables in craftinganup-to-date Java web application. The code of CVE 2017-5638 is vulnerable and remote code execution which helps the attackers to attack. This code affects the Apache struts through Jakarta Multipart parser(Cogswell, Greenan& Greyson, 2018). Apache Struts remote code execution with 2.3.5<2.3.31/2.5<2.5.10 of the Jakarta Multipart parser promotes the file uploading misuse. Then it permits the attackers to perform the function through a command #cmd= string for the crafted Content-Type HTTP header. 

Flaws in Apache Struts

There is vulnerability in the open-source web application for modern Java web applicationframework Apache Struts. The vulnerabilities cause with the meeting of the conditions such as – 

• When the Struts configuration is going to be set SelectFullNamespace has to be always set.

• When the Struts configuration file has the tag <action..> it does not mean to denote the non-compulsory attribution of namespace or wildcard namespace.

Fixing the Struts error

For fixing this configuration error for the organization up-gradation of Apache Struts version is required in the version of 2.3.35 or 2.5.17. it will help to fix the current vulnerability and every time the users should verify the settings of "namespace" (Nakagawa et al., 2019). The user should not forget to set the current action for the URL tags in the JPS either the condition where it requires having the upper action configuration without or wildcard namespace. 

The organization needs to collect information for the creation of the plan. The organization requires knowing the version of the Apache Struts framework is being used in the company currently.

Patching delay 

The delay in patching has made me angry as Equifax uses trusted unique data being a global information solution company. Patching delay and unfixing the error of the Apache Struts code can lead to the vulnerability attack on the company information (Cogswell, Greenan& Greyson, 2018). In order to take steps I have put a fraud alert on credit report besides looking on bank account and credit card statements.Because patching is a time consuming process to implement in the organization and it has to done manually so the authorities of the company has delayed in patching. Alternative tothe Equifax patching can be made through schedule a window, by downloading patches. The virtual server can be implement and by the verification of installed patches. Also it need to follow up regularly. 

References:

Cogswell, A., Greenan, B. J., & Greyson, P. (2018). Evaluation of two common vulnerability index calculation methods. Ocean & Coastal Management, 160, 46-51.

Nakagawa, S., Nagai, T., Kanehara, H., Furumoto, K., Takita, M., Shiraishi, Y., ...&Morii, M. (2019). Character-Level Convolutional Neural Network for Predicting Severity of Software Vulnerability from Vulnerability Description. IEICE Transactions on Information and Systems, 102(9), 1679-1682.