Hacker News new | comments | show | ask | jobs | submit login

I am very surprised the root cause of the incident wasn't mentioned by any other HNers

This is a serious exploit on Apache Struts 2, a popular Java Web framework known as SSH (Spring, Struts, Hibernate). If you visit many websites, and see URLs ending with .action , it's probably written in Struts 2

S2-016 / CVE-2013-2251, effecting Struts 2.3.15 or lower


The exploit was deadly easy to weaponize as the Apache folks blatantly published PoC on their own bulletin

Example of server side arbitary Java code (OGNL expressions) execution


Apple.com hacking was published on a popular Chinese security bulletin website


The issue was submitted to APPL on 2013-05-10 but ignored, and went public on 2013-06-24.

A Chinese blog on history and technical details of the exploit:


As a side note, rumor is that about 60% of Chinese goverment, e-commerce, banking, gaming websites was hacked using this S2-016 exploit, database was dumped, and exchanged in underground market. Also past records shows that the Apache Struts team is incompetent at security:

http://taosay.net/?p=611 (Warning: rant in Chinese text)

So Struts which has the fix for this was released 16 July 2013. In fairness, it may be that Apple, being as big a target as they are, had little time to react before they were penetrated. But this really goes to show that when you are informed of a "highly critical" remote code execution vulnerability in one of your public-facing applications, you need to drop what you are doing, take the service offline immediately and start the process of upgrading/patching. You may literally have only minutes.

This reminds me of the post I saw on here, can't remember exactly what it was called, but the guy talked about putting servers up with a honey pot and at this point within hours they're getting scanned and probed.

He said it used to take days or weeks for that to happen. Now it's hours.

I used to work for the kind of companies that only use Struts+Spring+Hibernate, and it's simply appalling how many of their applications are running on year-old library versions with severe security flaws. One week is the median lead time for an emergency deployment.

It was mentioned on this thread, 2 hours ago:


This link points to the top comment on another thread (which has more points and comments as of now) about the Dev Website outage.

yeah but the reaction was vastly different.

I remember the last RoR exploit was quite a thing on HN few months ago. But not this Struts 2 one.

Tip: if you see some URL end with .action, it's propably Struts 2 and vunlerable to S2-012, S2-015 and S2-016 such.

Besides, apple.com was hacked as early as in May using similar Struts2 exploits.

I don't think Struts is nearly as popular with the HN community as RoR

IIRC when YAML exploits were announced it was quite popular to call rubyists incompetent amateurs.

Stating and/or implying that others are less competent than our idealized selves is what this community loves to do most. Any particular tech is incidental.

Can't believe how easy that exploit is

What I can't believe is that an expression language that so directly interoperates with Java objects is processed from request parameters.

I can't conceive of the specific use-case that justified adding this, but it's so clearly a bad a idea that it doesn't appear bad only in hindsight. It appears bad in foresight.

"I'm going to accept and execute arbitrary expressions from clients, and these expressions can interact with arbitrary Java code, is that cool?"


As the person who made that decision some time ago[1] I can tell you that basically we didn't fully appreciate or understand all the features OGNL supported at the time.

As we realized it could, say, invoke static functions and execute extremely complex expressions, we realized the hole. Since then the team has been patching them piece by piece, but really OGNL should be thrown out and replaced with something that is far more limited in it's capabilities.

It's been a long time since I was an active contributor, but that'd be my recommendation if I was still hacking away on it.

[1] https://news.ycombinator.com/item?id=6081428

>Also past records shows that the Apache Struts team is incompetent at security

Compared to Rails, PHP, what?

I don't think there is any evidence that the hack attempt was linked to this vulnerability. It seems more likely that it was the Turkish hacker.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact