You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mnemonic.apache.org by "Gang(Gary) Wang" <ga...@apache.org> on 2017/09/13 17:14:21 UTC
Learn from Equifax breach
One of our contributors told me that this breach is related to a
serialized object that Mnemonic has tried to avoid as below
"However, “for either vulnerability, the process is basically the same. The
attacker sends a specific HTTP request containing some special syntax. In
one case, an OGNL expression. In the other, a serialized object,” he said
in comments emailed to SC Media. “The Equifax Struts application would
receive this request, and get tricked into executing operating system
commands.”
The attacker can then “use these to take over the entire box – do anything
the application can do,” Williams said. “So, they probably stole the
database credentials out of the application, ran some queries, and then
exfiltrated the data to some server they control on the internet.”"
https://www.scmagazine.com/apache-struts-vulnerability-likely-behind-equifax-breach-congress-launches-probes/article/687955/
IMHO, from the technical view point, Mnemonic has nothing about how to
interact with UI layer. Theoretically, Mnemonic's linked durable objects
could be transferred between different layers to avoid SerDe, user code
makes use of those durable object for their own business logics.
Regarding the Durable Query Model (DQM), it has not yet been fully
implemented, we need to consider any possible injection and provide the
proper measure to prevent potential breaches.
Thanks!
Re: Learn from Equifax breach
Posted by Debojyoti Dutta <dd...@gmail.com>.
Ok will create a Jira and take it up.
Sent from my iPhone
> On Sep 13, 2017, at 11:00 AM, Gang(Gary) Wang <ga...@apache.org> wrote:
>
> Sure and please also point out which need to be fixed if possible, Thanks!
>
>> On Wed, Sep 13, 2017 at 10:52 AM, Debojyoti Dutta <dd...@gmail.com> wrote:
>>
>> Thanks Gary for the insightful thread. Maybe run our code base against a
>> threat ID tool?
>>
>> Debo
>>
>> Sent from my iPhone
>>
>>> On Sep 13, 2017, at 10:14 AM, Gang(Gary) Wang <ga...@apache.org> wrote:
>>>
>>> One of our contributors told me that this breach is related to a
>>> serialized object that Mnemonic has tried to avoid as below
>>>
>>> "However, “for either vulnerability, the process is basically the same.
>> The
>>> attacker sends a specific HTTP request containing some special syntax.
>> In
>>> one case, an OGNL expression. In the other, a serialized object,” he
>> said
>>> in comments emailed to SC Media. “The Equifax Struts application would
>>> receive this request, and get tricked into executing operating system
>>> commands.”
>>>
>>> The attacker can then “use these to take over the entire box – do
>> anything
>>> the application can do,” Williams said. “So, they probably stole the
>>> database credentials out of the application, ran some queries, and then
>>> exfiltrated the data to some server they control on the internet.”"
>>>
>>> https://www.scmagazine.com/apache-struts-vulnerability-
>> likely-behind-equifax-breach-congress-launches-probes/article/687955/
>>>
>>> IMHO, from the technical view point, Mnemonic has nothing about how to
>>> interact with UI layer. Theoretically, Mnemonic's linked durable objects
>>> could be transferred between different layers to avoid SerDe, user code
>>> makes use of those durable object for their own business logics.
>>>
>>> Regarding the Durable Query Model (DQM), it has not yet been fully
>>> implemented, we need to consider any possible injection and provide the
>>> proper measure to prevent potential breaches.
>>>
>>> Thanks!
>>
Re: Learn from Equifax breach
Posted by "Gang(Gary) Wang" <ga...@apache.org>.
Sure and please also point out which need to be fixed if possible, Thanks!
On Wed, Sep 13, 2017 at 10:52 AM, Debojyoti Dutta <dd...@gmail.com> wrote:
> Thanks Gary for the insightful thread. Maybe run our code base against a
> threat ID tool?
>
> Debo
>
> Sent from my iPhone
>
> > On Sep 13, 2017, at 10:14 AM, Gang(Gary) Wang <ga...@apache.org> wrote:
> >
> > One of our contributors told me that this breach is related to a
> > serialized object that Mnemonic has tried to avoid as below
> >
> > "However, “for either vulnerability, the process is basically the same.
> The
> > attacker sends a specific HTTP request containing some special syntax.
> In
> > one case, an OGNL expression. In the other, a serialized object,” he
> said
> > in comments emailed to SC Media. “The Equifax Struts application would
> > receive this request, and get tricked into executing operating system
> > commands.”
> >
> > The attacker can then “use these to take over the entire box – do
> anything
> > the application can do,” Williams said. “So, they probably stole the
> > database credentials out of the application, ran some queries, and then
> > exfiltrated the data to some server they control on the internet.”"
> >
> > https://www.scmagazine.com/apache-struts-vulnerability-
> likely-behind-equifax-breach-congress-launches-probes/article/687955/
> >
> > IMHO, from the technical view point, Mnemonic has nothing about how to
> > interact with UI layer. Theoretically, Mnemonic's linked durable objects
> > could be transferred between different layers to avoid SerDe, user code
> > makes use of those durable object for their own business logics.
> >
> > Regarding the Durable Query Model (DQM), it has not yet been fully
> > implemented, we need to consider any possible injection and provide the
> > proper measure to prevent potential breaches.
> >
> > Thanks!
>
Re: Learn from Equifax breach
Posted by Debojyoti Dutta <dd...@gmail.com>.
Thanks Gary for the insightful thread. Maybe run our code base against a threat ID tool?
Debo
Sent from my iPhone
> On Sep 13, 2017, at 10:14 AM, Gang(Gary) Wang <ga...@apache.org> wrote:
>
> One of our contributors told me that this breach is related to a
> serialized object that Mnemonic has tried to avoid as below
>
> "However, “for either vulnerability, the process is basically the same. The
> attacker sends a specific HTTP request containing some special syntax. In
> one case, an OGNL expression. In the other, a serialized object,” he said
> in comments emailed to SC Media. “The Equifax Struts application would
> receive this request, and get tricked into executing operating system
> commands.”
>
> The attacker can then “use these to take over the entire box – do anything
> the application can do,” Williams said. “So, they probably stole the
> database credentials out of the application, ran some queries, and then
> exfiltrated the data to some server they control on the internet.”"
>
> https://www.scmagazine.com/apache-struts-vulnerability-likely-behind-equifax-breach-congress-launches-probes/article/687955/
>
> IMHO, from the technical view point, Mnemonic has nothing about how to
> interact with UI layer. Theoretically, Mnemonic's linked durable objects
> could be transferred between different layers to avoid SerDe, user code
> makes use of those durable object for their own business logics.
>
> Regarding the Durable Query Model (DQM), it has not yet been fully
> implemented, we need to consider any possible injection and provide the
> proper measure to prevent potential breaches.
>
> Thanks!