Proposal: Case Study for CVE-2017-5638 (Remote Code Execution in Apache Struts 2) #69
Description
We are a group of two students from George Mason University (GMU) in the CS course on Secure Software Development.
ALIYA KOUSER RAFIULLA (GNumber : G01581959) and HASINI PULIMATE (GNumber : G01566306)
We propose to write a case study on CVE-2017-5638, a critical Remote Code Execution (RCE) vulnerability discovered in Apache Struts 2 in March 2017.
About the Vulnerability :
The Jakarta Multipart parser in Apache Struts 2 had a vulnerability that an attacker was able to exploit. An attacker could generate a forged Content-Type HTTP header that the server would incorrectly process, potentially leading to arbitrary remote code execution on the server. This vulnerability was actively exploited and ultimately led to the huge Equifax data breach of 2017, which exposed the personal information of about 147 million people.
Why This Case Study is Needed:
This vulnerability is a good example of how bad input validation within a popular framework can lead to disaster in the real world, so creating a case study may be useful to inform developers about the risks associated with parsing unsanitized input and provide them with some suggestions on how to avoid having similar problems occur in their applications.
Our Plan:
We have reviewed existing case studies and open issues on this repository and confirmed that CVE-2017-5638 has not been covered. We plan to follow MITRE's style guide and submit a complete case study as a pull request.
We intend to proceed unless there are objections.
Emphasize Preventive Measures:
The systemic prevention strategies highlighted in this case study include:
To mitigate the risk from CVE-2017-5638, it is crucial that all HTTP header values are not trusted by any application and must undergo strict input validation before being accepted. As an example, you should never use anything but plain text for the Content-Type header in your request (e.g., execution commands).
The easiest way to avoid the CVE-2017-5638 vulnerability is to disable OGNL evaluation for error handling purposes. All data inserted by users should be checked as just that, plain text, and should never be executed as code. This will eliminate the problem of executing any commands that may have been entered by a malicious user.
Lastly, other defense-in-depth strategies like using web application firewalls (WAFs) can help prevent the execution of a command such as #cmd=. Conducting routine security testing and code reviews are key steps to detecting unsafe input handling practices and will result in fewer problems like this being introduced into application code.
We have reviewed existing case studies and open issues, and this vulnerability does not appear to be currently covered. We plan to submit this case study as a Pull Request in Markdown format, following the MITRE CVE documentation guidelines.
Kindly let us know if there are any objections to our submission or if we should proceed with drafting the case study.
Regards,
Authors: ALIYA KOUSER RAFIULLA (GNumber : G01581959) and HASINI PULIMATE (GNumber : G01566306)
Graduate students of George Mason University.