Case study

US Based Global Media Company Remediating Years of Vulnerabilities

The company

The following test case was executed against a Java application running on the server estate of a US-based global media company. The goal of the test was to evaluate how Waratek’s runtime protection platform can instantly and seamlessly modernize, harden, and protect the company’s applications.

The challenge

The target application was a legacy Tomcat 7.0.29 application deployed on a legacy Java SE 1.7.0 (update 0) JRE. A pre-installation assessment indicated the application stack contained the following:

  • Up to 25 Qualys vulnerabilities recorded against Java SE 1.7.0u0 (update 0);
  • More than 500 MITRE CVE vulnerabilities recorded against Java SE 1.7.0u0 (update 0);
  • Up to 17 MITRE CVE vulnerabilities recorded against Tomcat 7.0.29;
  • An unknown number of CVEs recorded against imported JAR files; and,
  • Unauthenticated remote JMX management services.

After installation in the reference environment, and launch of the Waratek platform, a post-installation scan revealed the following:

Summary Findings by Scan Before Waratek (Java 7) After Waratek
(Java 7 Guest on Java 8 Host)
Total Vulnerabilities (reported by Qualys, including kernel and OS packages) 72 47
Total JVM Vulnerabilities 25 0
Total Tomcat Vulnerabilities (out of scope) 8 8
High priority (CVSS > 8) 24 0
Medium Priority (CVSS 6 – 8) 3 2
Low Priority (CVSS < 6) 6 6

 

Summary Findings by CVE Before Waratek (Java 7) After Waratek
(Java 7 Guest on Java 8 Host)
Total JVM Vulnerabilities 505 0
Total Tomcat Vulnerabilities (out of scope) 17 17
High priority (CVSS > 8) 492 0
Medium Priority (CVSS 6 – 8) 21 8
Low Priority (CVSS < 6) 9 9

Waratek’s unique approach to application security resulted in the remediation of years of vulnerabilities and the updating of an out-of-date Java JRE without changing a single line of code.

Performance overhead while in normal operating mode improved by nearly 7% and increased by less than 2.5% while under attack.

The application owners can expect to see an elimination of false positives. The company will also gain operational efficiencies from being able to live patch without shutting down the application – reducing patch times, costs and the risks associated with delays in patching.

Network Activity

Using Waratek’s security policy configuration, all in-use network services were quickly identified in log files. Additional configuration can be applied to ensure that only the required network services are permitted or services are restricted where appropriate.

Deprecated hashing algorithms

Waratek security policy can easily identify if deprecated or inappropriate java classes are used. In this case, security policy identified that the target application was using both the MD5 and SHA hashing algorithms. These algorithms are no longer considered to be cryptographically secure. (See CWE-327: Use of a Broken or Risky Cryptographic Algorithm)

Policies can be applied to identify or prevent the use of a variety of APIs, functionality or components. For example:

  • Use of the sun.misc.unsafe APIs
  • Use of deprecated functionality that may violate internal policy
  • Use of specific, vulnerable classes in open source components such as Apache Commons or Spring framework

 

Software Composition Analysis

During the information gathering phase of the live trial, the company provided information on other java applications running on the test server.

A list of jar files (software libraries) used by these additional applications was fed into the OWASP Dependency-Check tool. A number of vulnerable components were identified as being in use by these applications.

Waratek security policy can be used to apply virtual patches to remediate vulnerabilities in all layers of the software stack including third party components. Security policy can also be applied to significantly reduce the attack surface of any component. This can significantly minimize the probability of any future exploitation and protect against future zero day vulnerabilities

The solution

Waratek’s unique approach to application security resulted in the remediation of years of vulnerabilities and the updating of an out-of-date Java JRE without changing a single line of code.

Performance overhead while in normal operating mode improved by nearly 7% and increased by less than 2.5% while under attack.

The application owners can expect to see an elimination of false positives. The company will also gain operational efficiencies from being able to live patch without shutting down the application – reducing patch times, costs and the risks associated with delays in patching.

The results

Increase in performance
7%
CVEs remediated instantly
500
Reduction in false positives
100%

Waratek's Security-as-Code platform not only found the cryptominer we had, but securely removed it within 48 hours, stopping us from having to rebuild our solution from scratch.

Related case studies

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.