Struts 1 is End of Life
Apache has made it clear that if you are using Struts 1, you need to move. The question was asked, “Given a major security problem or a serious bug is reported for Struts 1 in [the] near future, can we expect a new release with fixes?” Apache’s answer: “As of now, actually no – that is what the EOL announcement essentially is about. Since the end of support is reached, you will either need to find mitigations, patch the existing Struts 1 source code yourself or migrate your project to another web framework.”
“Actually?” There’s no “Actually” about it — this is not a difficult question. They could just as well have said, “Hell, no.” But the problem is not so much that there will be no more nice emails with patches: the problem is that nobody is testing Struts 1 applications for security vulnerabilities, and there will be no patches developed. The idea that your shop will find and fix security holes in Struts 1 is just not realistic.
Isn’t Struts 2 Safe?
Just last year, a critical-level remote code execution vulnerability (CVE-2018-11776) has been identified in Apache Struts. The vulnerability has been classified as critical because the flaw could allow remote attackers to execute their code on a server that is running the Struts-developed app.
The Apache Software Foundation announced that it has released a new version of Struts that patches the issue. Affected versions include Struts 2.3 through Struts 2.3.34, as well as Struts 2.5 through Struts 2.5.16. ASF strongly recommends that users upgrade to Struts 2.3.35 or Struts 2.5.17 immediately, even though a workaround that they characterize as “weak” is possible.
Adding urgency, Tenable has blogged, “A working proof of concept (PoC) has been discovered and verified on Github by Tenable’s research team. In addition, there are indications that attackers are already probing for vulnerable Apache Struts instances.” See the full posting from Security Now for additional information.
These are not just isolated problems — they come from the way Struts is implemented. And just because this vulnerability has been found, we should not conclude that there won’t be more Struts 2 security holes; there will be.
Struts 2.3 is as Dead as Struts 1
Apache announced end of life for Struts 2.3 on 2018-11-14: “…starting from that date we will only support Apache Struts 2.3.x in case of security vulnerabilities. Within those 6 months period you can expect that we do our best to keep Struts 2.3.x branch secure but some of the security related changes cannot happen without architectural changes that can affect backward compatibility. This what happened to Struts 2.5.x, we introduced some internal changes to improve overall framework’s security.”
It’s Not Urgent Until You’re Hacked
We get it. If you have a couple million lines of Java that uses Struts, fixing it by hand is very, very expensive. The initial estimate going in will probably be around $5 million, but that’s likely not to hold. Somewhere north of $10 million would be more likely. But we have a great solution to the problem that is very inexpensive, and will solve the problem quickly. You are NOT SAFE just because some versions of Struts 2 are still supported.
Please contact us to discuss your specific requirements, and how ResQSoft® Engineer and our staff of experienced software engineers can solve your Struts problem BEFORE your systems are compromised.
For More Information
Contact us at firstname.lastname@example.org, or call our CTO directly at (571) 488-0304.