The world of web design has been transformed in recent years with the emergence of new digital tools that make the design process more efficient, collaborative, and intuitive. One of the most popular and powerful tools for designing websites is Figma, a cloud-based design platform that allows designers to create, share, and collaborate on designs in real-time. Here are ten reasons why Figma is the ultimate tool for your next website project. As a web designer, you know that creating a website from scratch can be a daunting task. There are multiple aspects to consider, such as wireframes, visual designs, interactive prototypes, and animations. Figma is an all-in-one tool that can help you manage all these aspects with ease and create a website that not only looks great but performs efficiently. Here are ten reasons why you should consider using Figma for your next website project. 1. Figma is an all-in-one tool for web design. Figma offers a comprehensive suite of design tool...
Apache Struts is an open-source framework for developing web applications using the Java programming language. It is used by many of the Fortune 100 companies for their web properties.
Researchers have discovered a vulnerability in the Apache Struts REST plugin affecting all versions of Apache Struts since 2008. This vulnerability has been assigned CVE-2017-9805. A successful exploitation of the vulnerability would allow attackers to execute arbitrary code.
A patch was released on September 5th, 2017 to address this vulnerability. Users are encouraged to update their installation of Apache Struts to version 2.3.34 or version 2.5.13 as soon as possible to remediate this threat. If an immediate upgrade is not possible, a change in the configuration to only serve HTML and JSON will mitigate the risk.
THREAT TECHNICAL DETAILS:
The Apache Struts RCE vulnerability
provides a large risk surface because of the large number of organizations that
use it for their web properties. Exploiting this vulnerability is very easy
with just a web browser. A number of proof-of-concept examples are publicly
available and a Metasploit module
to exploit this vulnerability is available, making it very easy to obtain and
deploy.
“At least 65% of the Fortune 100 companies are actively using web applications built with the Struts framework,” the report said. “Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework. This illustrates how widespread the risk is.”
The bug specifically affects a popular plugin called REST, which developers use to handle web requests, like data sent to a server from a form a user has filled out. The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
That means intruders could easily inject malware into web servers, possibly without being detected, and use it to steal or delete sensitive data, or infect computers with ransomware, among other things.
“Organizations who use Struts should upgrade their components immediately,” said Man Yue Mo, a researcher at lgtm.com.
Apache Struts uses an XStreamHandler
object to de-serialize objects with no filtering. If an XML payload is
de-serialized without this filtering, a remote code execution exploit can be
enacted.
For those users unable to immediately
upgrade their installed Apache Struts version, it is recommended that they
disable handing XML pages and requests to XML pages with the configuration
change <constant name=”struts.action.extension” value=”xhtml,,json”/>. It
is further advised to override the getContentType in the XStreamHandler object
and to register that handler to override the framework provided handler in the
struts.xml configuration file. The Apache Struts security bulletin S2-052 provides
instructions for making these changes.
IMPACT:
A successful exploitation of the
CVE-2017-9805 Apache Struts RCE vulnerability would allow an attacker to
execute arbitrary code.
AFFECTED SOFTWARE:
Apache Struts versions 2.1.2 through
2.3.33 and Apache Struts versions 2.5 through 2.5.12 have this vulnerability in
their REST plugin.
MITIGATION STRATEGIES AND RECOMMENDATIONS:
Remediation for the Apache Struts RCE
Vulnerability is to upgrade to Apache Struts versions 2.5.14 or 2.3.34.
If it is not possible to upgrade immediately, a mitigating step of disabling
the REST plugin or configuring Apache Struts to only serve HTML and JSON with
the following configuration line can be used.
<constant name=”struts.action.extension” value=”xhtml,,json”/>
Additional recommendations to override and
register a new event handler are available in the Apache Struts security
bulletin S2-052.
·
Symantec
recommends customers use a layered approach to securing their environment,
utilizing the latest Symantec technologies, including Enterprise-Wide security
monitoring from Edge to Endpoint.
·
Ensure all
operating systems and public facing machines have the latest security patches,
and antivirus software and definitions up to date.
·
Ensure systems
have a running firewall, unnecessary ports are closed/blocked, and unused
services are disabled.
BEST PRACTICES
Symantec recommends that all customers
follow IT security best practices. These will help mitigate the initial
infection vectors used by most malware, as well as prevent or slow the spread
of secondary infections.
Minimum Recommended Best Practices Include:
·
Disable
default user accounts.
·
Educate users
to avoid following links to untrusted sites.
·
Always execute
browsing software with the least privileges possible.
·
Turn on Data
Execution Prevention (DEP) for systems that support it.
·
Maintain a
regular patch and update cycle for OS and installed software.
·
For additional
details please reference: http://technet.microsoft.com/en-us/library/dd277328.aspx.
REFERENCES:
For additional information related to this
threat/vulnerability please reference the following links:
- Apache Struts 2 Documentation S2-052