Open Source Insider

Mar 13 2017   10:54AM GMT

Black Duck: Struts’ guts went nuts, need to patch is clearcut

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

Tags:

Security researchers say they have discovered an open source code vulnerability (CVE-2017-5638) in Apache Struts 2 – (report).

Apache Struts is a free and open-source MVC framework for creating Java web applications (the Model-View-Controller (MVC) architectural pattern separates an app into three main components: the model, the view and the controller) — Struts favours convention over configuration, is extensible using a plugin architecture and ships with plugins to support REST, AJAX and JSON.

Security strategy firm Black Duck Software has advised users to urgently update Struts, which Apache has now patched.

According to Mike Pittenger, head of security strategy at Black Duck, although by definition, no patch exists for zero day vulnerabilities, the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble.

Target-rich environment

Pittenger asserts that a vulnerability in a component as popular as Struts creates a very target-rich environment for attackers

“Fortunately, the community was quick to create, test and release a patch. Unfortunately, it is likely that this vulnerability will cause problems for years to come,” Pittenger.

Black Duck’s 2016 on-demand audit report showed the average age of vulnerabilities in open source used in commercial applications was over five years old and over 10% still were vulnerable to Heartbleed. 

Complicating remediation

“This is evidence that even well publicised vulnerabilities are not being addressed. As to this issue, last year we found Apache Struts in over 10% of the applications we tested. When Struts was used, almost 20% of the time we found multiple versions of Struts in a single application and almost 10% had three or more versions, further complicating remediation for a vulnerability like this,” concluded Pittenger.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: