What’s Wrong With Struts?

If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.

Here are the facts, according to Equifax. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

Equifax has admitted that the breach was due to an Apache Struts vulnerability.
Your system may not process consumer data… but isn’t your financial and engineering data valuable? Do you want hackers to steal it and sell it to others?

The Struts Problem

A critical remote code execution vulnerability affects all versions of the popular application development framework Struts since 2008. The Struts 1.x web framework has reached its end of life and is no longer officially supported. Users should not rely on a properly maintained framework state when utilizing Struts 1 in projects, because Struts 1 is no longer tested or maintained.

One well known vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data.

“Given a major security problem or a serious bug is reported for Struts 1 in near future, can we expect a new release with fixes?” Apache answer: 
“As of now, actually no – that is what the EOL announcement essentially is about. Since the end of support is reached, you will either need to find mitigations, patch the existing Struts 1 source code yourself or migrate your project to another web framework.”

Are you safe if you use Struts 2 instead of Struts 1? No, see the explanation here and here.

The ResQSoft Solution

Remove Struts from your application and replace it with the much more modern, and much more widely supported, Spring MVC Framework.

ResQSoft Engineer analyzes the JSP and Java files, and replaces library files and Struts code automatically.

Templates and analyzers are used to write fresh, properly structured new programming code utilizing the Spring MVC framework instead.

The process involves hand finishing by programmers, but the goal for Engineer is to write over 85% of the routine lines of code that must be changed automatically. In our own testing, we’re hitting over 98% of the changes successfully! But, every code base is different, so 85% is our goal for now. And, if you need more, we’ll work with you to get there. Every code base is different, but we can do an assessment to make a plan to achieve complete removal of Struts — fixed price or by providing Time and Materials support to your in-house team.

Hand finishing by programmers focuses on handling unique logic in tags and other unique features of the code base.

Areas Addressed

  • Libraries – replacing Struts Jars with Spring MVC Jars (Spring 3 or 5, depending on the age of the Struts version)
  • Tags – replacing Struts Tags with HTML Tags
  • Replacing the Dispatcher with an appropriate Spring Dispatcher
  • Automation assisted edit of Controller logic
  • Automation assisted refactoring of application structure
  • Obsolete versions of Java are upgraded to Java 8 (or Java 11 or 12), enabling use of JPA and extending support options for years

Improve your security, and maintainability! Contact us today…