Back to qualys.com
6 posts

British Airways Hack Triggers GDPR Concerns, as World Awaits Windows 0-Day Patch

A swipe of confidential data from almost 400,000 British Airways customers. A string of app takedowns at the Mac App Store after exfiltration findings. A gargantuan data breach at a Chinese hotel chain. An unpatched zero-day Windows bug exploited in the wild. These are some of the security news that have recently caught our eye.

Could British Airways hit GDPR turbulence after data breach?

Hackers breached British Airways’ website and mobile app during a two-week period recently, and may have stolen personal and financial information of 380,000 customers, including payment card details. The airline disclosed the hack last week, saying that the cyber criminals had access to the breached systems between Aug. 21 and Sept. 5.

Credit card information included the 3- or 4-digit security codes printed on the cards. Other information that was at risk included names, billing addresses, and email addresses. This set of information puts affected customers at risk for a variety of fraudulent activity, including unauthorized use of their payment card and email “phishing” scams.

Continue reading …

Security News: Hackers Aim Ransomware at Big Cos., as Experts Call for Swift Patching of Struts Bug

Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability — but scarier than last year’s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.

New Struts Bug Should Be Patched Yesterday

Apache patched a serious remote code execution vulnerability (CVE-2018-11776) affecting all supported versions — 2.3 to 2.3.34 and 2.5 to 2.5.16 — of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.

In the Apache security bulletin, the vulnerability is rated “Critical” and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.

The remote code execution becomes possible “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace” and “when using url tag which doesn’t have value and action set,” the bulletin reads.

Organizations should upgrade to the patched Struts versions even if their applications aren’t  vulnerable to this bug. “An inadvertent change to a Struts configuration file may render the application vulnerable in the future,” stated Semmle, whose security researcher Man Yue Mo discovered this vulnerability.

Continue reading …

Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776

A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.

Update August 24, 2018: A dashboard for this vulnerability is now available to download.

Continue reading …

Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities

Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.

Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR  has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or “Ebbshave”) was previously addressed by Oracle in several Solaris 10 patch distributions issued since January 26th 2012 and does not affect Solaris 11.

Out of the 299 total fixes MySQL, Financial Services, Retail and Fusion Middleware take the lion’s share of fixes and the distribution is shown in the chart below. Majority of the vulnerabilities in the Financial Services, Retail and Fusion Middleware could be exploited via the HTTP protocol and attackers can take complete control of the system remotely without the need of any credentials.

Continue reading …

A Comprehensive Approach to Detect and Block the Struts Critical Vulnerability CVE-2017-5638

With hackers taking advantage of the Apache Struts vulnerability and aggressively attacking enterprises worldwide, Qualys can protect your organization from this critical bug, which is hard to detect and difficult to patch.

Recently disclosed, the Struts vulnerability is being actively attacked in the wild, as hackers jump at the chance to hit high-profile targets by exploiting this critical bug. Struts, an Apache open source framework for creating “enterprise-ready” Java web applications, is abundantly present in large Internet companies, government agencies and financial institutions.

For an informative walkthrough of the vulnerability and the Qualys detections, please view the Detect and Block Apache Struts Bug webcast recording.

Continue reading …

Qualys WAF 2.0 Protects Against Critical Apache Struts Jakarta Vulnerability ( CVE-2017-5638 )

On March 8, 2017, Qualys published a detailed blog to describe a critical vulnerability in Apache Struts2 Jakarta multipart parser that exposes vulnerable applications to Remote Command Execution attacks. Exploits of this vulnerability can allow attackers to steal critical data or take control of your application servers.

Qualys Web Application Firewall (WAF) 2.0 allows you to create custom security rules to detect and block attacks that try to exploit this vulnerability.

Continue reading …