Date: August 30, 2018

Prepared for: BCBS Legal Counsel

Prepared by: Cybersecurity Division

Overview and Purpose

This brief provides an overview of the Apache Struts 2 vulnerability identified in August 2018 (CVE-2018–11776), its potential impact on Blue Cross Blue Shield (BCBS) systems, and the corrective actions taken by the Cybersecurity Division. The purpose is to ensure that the Legal Counsel team understands the nature of the vulnerability, the company's response timeline, and how our mitigation efforts align with industry best practices.

Understanding Apache Struts 2

Apache Struts 2 is an open-source web application framework widely used for developing Java-based enterprise applications. Open-source frameworks allow organizations to use and modify code that is publicly available, which promotes innovation, flexibility, and reduced licensing costs.

However, drawbacks include a higher dependence on timely updates and community-driven maintenance. Security vulnerabilities can be exposed publicly before organizations have a chance to patch them. At BCBS, Struts 2 supports several internal web applications related to member services and claims processing. Though not common in the healthcare sector, its scalability and performance made it suitable for our needs.

Nature of the Vulnerability (CVE-2018–11776)

CVE-2018–11776 was identified as a remote code execution (RCE) vulnerability in Apache Struts 2 versions prior to 2.3.35 and 2.5.17. Simply put, this flaw could allow an attacker to take control of a web application remotely if certain configuration settings were left unguarded.

The issue stemmed from improper input validation within the framework's URL mapping feature. When user-supplied data was not properly validated, attackers could inject malicious code into the server through specially crafted URLs. If exploited, this could enable the attacker to execute arbitrary commands on the affected system, potentially gaining access to sensitive information such as user data, login credentials, or health records.

Severity Level: High

Exploitability: Remote (no physical access required)

Potential Impact: Unauthorized access, data theft, or system compromiseTimeline of Events

Event-Date-Description

Vulnerability Disclosure-August 17, 2018-Apache publicly announced

CVE-2018–11776 and released

security guidance.

Internal Alert-August 17, 2018-BCBS Cybersecurity Division

received notice from Apache

and internal monitoring

systems.

Risk Assessment-August 18–20, 2018-The team reviewed all systems

using Struts 2 and determined

that several internal

applications were potentially at

risk.

Patch Implementation-August 22, 2018-Security patch and software

update to Struts 2.3.35/2.5.17

applied. Vulnerability resolved.

Post-Patch Verification — August 23–24, 2018 — Validation testing confirmed

the vulnerability was mitigated and no evidence of exploitation was found.

The system was exposed for five days (August 17–22). Given the rapid patch application, this period is considered short compared to industry norms, where patch cycles for critical vulnerabilities can range from several days to multiple weeks.

Assessment of Risk and Impact

After extensive log analysis and system review, the Cybersecurity Division found no indicators of compromise or evidence suggesting the vulnerability had been exploited during and after the five-day exposure period.

Regardless, if left unpatched, CVE-2018–11776 could have posed serious risks, including:

1. Unauthorized system access leading to exposure of sensitive personal health information(PHI).

2. Data manipulation or loss, compromising the accuracy of patient or claims records.

3. Operational disruption to internal applications supporting member services.

Given the scale of BCBS's membership (over 100 million individuals nationwide), even a single exploit could have had widespread implications for privacy, compliance, and public trust.

Corrective Actions and Resolution

Upon identification of the vulnerability, the Cybersecurity Division immediately took the following actions:

1. Risk Analysis: Assessed all systems utilizing Apache Struts 2 and identified potentially affected versions.

2. System Patch: Deployed the official Apache patch upgrading all Struts components to version 2.3.35 and 2.5.17.

3. Security Validation: Conducted penetration testing and vulnerability scans to confirm that the patch had effectively mitigated the issue.

4. Enhanced Monitoring: Increased log surveillance to detect any abnormal activity related to application inputs or URL requests.

5. Policy Reinforcement: Updated internal documentation on patch management to emphasize faster response times for critical CVEs.

Industry Standards and BCBS Compliance

In the cybersecurity field, patch management best practices recommend that:

1. Critical vulnerabilities should be patched within 7–10 days of public disclosure (National

Institute of Standards and T echnology, 2019).

2. Organizations should maintain a formal vulnerability management policy for rapid identification and remediation.

BCBS completed full remediation within five days, which meets and exceeds standard industry expectations for critical vulnerabilities. Additionally, the response was consistent with Health Insurance Portability and Accountability Act (HIPAA) Security Rule requirements for maintaining the integrity and confidentiality of electronic protected health information (ePHI).

Lessons Learned and Future Prevention

Although no exploitation occurred, this incident underscored the importance of continuous vigilance when using open-source software. Moving forward, BCBS's Cybersecurity Division is:

1. Implementing automated alerts to flag new CVEs affecting open-source dependencies in real time.

2. Establishing a faster emergency patch protocol for high-severity vulnerabilities.

3. Conducting quarterly audits to verify that all third-party frameworks are up to date.

4. Collaborating with Legal Counsel to improve incident documentation and ensure compliance reporting is clear and defensible in case of future hearings.Conclusion

The 2018 Apache Struts 2 vulnerability (CVE-2018–11776) presented a serious but manageable threat to BCBS systems. The Cybersecurity Division acted swiftly and effectively to mitigate risk, ensuring that no patient data or internal systems were compromised.

Our five-day response period aligns with industry-leading standards, demonstrating BCBS's commitment to data protection, operational transparency, and regulatory compliance. By maintaining proactive security practices and close coordination between technical and legal teams, BCBS continues to uphold its responsibility to safeguard the sensitive health information of its members.

References:

1. S2–057 — Apache Struts 2 Wiki — Apache Software Foundation. (n.d.). Cwiki.apache.org. https://cwiki.apache.org/confluence/display/WW /S2–057

2. Souppaya, M., & Scarfone, K. (2022, April 6). Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. Csrc.nist.gov. https://csrc.nist.gov/pubs/sp/800/40/r4/final

3. NVD — CVE-2018–11776. (2018). Nvd.nist.gov. https://nvd.nist.gov/vuln/detail/CVE-2018-11776

4. U.S. Department of Health and Human Services. (2022, October 20). The Security Rule. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/security/index.html