Veracode Reports New Apache Struts 2 Security Problem
From Veracode: “On Aug. 22 , the Apache Software Foundation announced that a new critical remote code execution vulnerability was found in Apache Struts 2 (CVE-2018-11776). According to the Semmle Security Research Team, who first identified and reported the vulnerability, this flaw is ‘more critical’ than the Struts vulnerability behind the massive data breach that exposed the personal information of 143 million Americans in March of last year. The remote code execution vulnerability impacts all supported versions of Apache Struts 2. This means that any applications developed using the framework, most popularly used for developing Java-based applications, are potentially at risk (depending on the configuration) – even when additional plugins have not been enabled.
Here are the facts, according to Equifax. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.”
You can read the Veracode article here.
The Struts Patch Process is Not Enough
In that same article, Veracode noted that “most open source components remain unpatched once they’re built into software, and that 88 percent of Java applications had at least one component-based flaw.” It’s not an easy problem; somebody has to tell you there’s a security hole, then you have to figure out whether it applies to you, then you have to find and apply the patch. The problem isn’t that the IT staff are lazy or incompetent; the problem is that organizations keep using Struts even though it’s a known risk.
It’s like smoking. You know that you MAY get lung cancer, but you keep smoking because it might be okay. Running Struts is a serious risk, but people keep doing it because Struts permeates all parts of a Java application and if you have a big one, it is a huge expense to rewrite the code to get rid of Struts.
Unless you let us help.
“Given a major security problem or a serious bug is reported for Struts 1 in near future, can we expect a new release with fixes?” Apache’s answer: “As of now, actually no – that is what the EOL announcement essentially is about. Since the end of support is reached, you will either need to find mitigations, patch the existing Struts 1 source code yourself or migrate your project to another web framework.” And by the way, Struts 2.3 is going on life support, and all of Struts, 1 AND 2, has vulnerabilities that come from the foundation it’s built on.
We can help remove Struts from your application and replace it with the much more modern, and much more widely supported, Spring MVC Framework. ResQSoft Engineer analyzes the JSP and Java files, and replaces library files and Struts code automatically.
We can easily do an assessment. We can run your code through the tools, and tell you exactly how much hand work would have to be done.
Improve your security and maintainability! Contact us today…