Black Duck: Struts' guts went nuts, need to patch is clearcut

Security researchers say they have discovered an open source code vulnerability (CVE-2017-5638) in Apache Struts 2 – (report).

Apache Struts is a free and open-source MVC framework for creating Java web applications (the Model-View-Controller (MVC) architectural pattern separates an app into three main components: the model, the view and the controller) — Struts favours convention over configuration, is extensible using a plugin architecture and ships with plugins to support REST, AJAX and JSON.

Security strategy firm Black Duck Software has advised users to urgently update Struts, which Apache has now patched.

According to Mike Pittenger, head of security strategy at Black Duck, although by definition, no patch exists for zero day vulnerabilities, the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble.

Target-rich environment

Pittenger asserts that a vulnerability in a component as popular as Struts creates a very target-rich environment for attackers

“Fortunately, the community was quick to create, test and release a patch. Unfortunately, it is likely that this vulnerability will cause problems for years to come,” Pittenger.

Black Duck’s 2016 on-demand audit report showed the average age of vulnerabilities in open source used in commercial applications was over five years old and over 10% still were vulnerable to Heartbleed. 

Complicating remediation

“This is evidence that even well publicised vulnerabilities are not being addressed. As to this issue, last year we found Apache Struts in over 10% of the applications we tested. When Struts was used, almost 20% of the time we found multiple versions of Struts in a single application and almost 10% had three or more versions, further complicating remediation for a vulnerability like this,” concluded Pittenger.