Massive & Widespread Java Zero-Day Exploit Makes Heartbleed Look Tame

(Ping! Zine Web Hosting Magazine) – A tough-to-fix Java deserialization vulnerability impacting millions of production applications worldwide has businesses and software vendors scrambling. As a result of this dangerous and pervasive flaw, Contrast Security has created the first automated defense, employing a dedicated Runtime Application Self-Protection (RASP) Protection Module that is free and open source for anyone to use and blocks any attempts to exploit this vulnerability.

Vulnerable Apps Pose a Major Business Risk

The Java deserialization vulnerability is a widespread and serious threat. Serialization is an extremely common method for applications to communicate complex data structures. Any application that processes serialized objects can be attacked. Importantly, this issue can occur multiple places in an application, including some – like libraries and frameworks – that are beyond a developer’s control. Hackers can attack vulnerable Java applications and take over application servers, enabling them to “land-and-expand” within businesses. Initially reported in early 2013, it wasn’t until researchers published exploits in November 2015 that the media, application vendors and businesses began to take note.

Vulnerability Showcases Value of RASP

“RASP technology is perfectly suited to protect applications vulnerable to Java deserialization exploits and many other types of attacks,” says Contrast Security CTO and co-founder, Jeff Williams. “Contrast Enterprise automatically adds RASP capabilities directly into applications, without requiring any application changes. Using patented deep security instrumentation, Contrast enables applications to defend themselves against attacks in real-time. By comparison, products like a Web Application Firewall (WAF) are blind to what is happening inside an application.”

Contrast Enterprise Interactive Application Security Testing (IAST) also detects this flaw in Java applications during development and testing phases of the SDLC, enabling rapid remediation before deployment.

Free RASP Protection Module

Because of the severity and pervasiveness of the Java deserialization vulnerability, Contrast Security has created a separate, dedicated, RASP Protection Module free for anyone to use. The RASP Protection Module is an open source tool that locates everywhere this Java vulnerability exists in an application and stops attacks that would exploit it. The RASP Protection Module requires no application modification or network changes whatsoever. Simply add the RASP Protection Module to a Java application server, and the Java applications on that server can defend themselves against Java deserialization exploits.

Download the Free RASP Protection Module

The RASP Protection Module can be downloaded from GitHub for immediate protection of all Java applications. It is available here:

https://github.com/Contrast-Security-OSS/contrast-rO0

About Contrast Security

Contrast Security is the world’s only application security software that quickly and accurately stops hackers from stealing data via web applications – the most successful attack vector. Industry research shows that application security flaws are the leading source of successful data breaches yet more than 90% of applications are not secure. Unlike legacy security products that do not defend applications, Contrast employs patented, deep security instrumentation to strengthen applications before they’re deployed, protect them in production and provide visibility throughout the application lifecycle. As a result, organizations can act faster against threats and immediately reduce their attack surface. More information on Contrast Security can be found at http://www.contrastsecurity.com/.

Advertisement