Apache Struts continues to be a critical piece of software infrastructure for many organizations, and according to new research, it continues to be a deep well of vulnerabilities from which hackers can draw.
In a new report, Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, writes that the team investigated 115 separate Apache Struts releases and compared them with 57 security advisories covering 64 vulnerabilities. They found 61 additional Struts versions affected by at least one already disclosed vulnerability.
In addition, Mackey points out that an earlier report, the “2019 Open Source Security and Risk Analysis,” showed that 43% of commercial software had vulnerabilities at least 10 years old — a reminder, he writes, that knowing about vulnerabilities is of little use if good patching and updating policies aren’t followed.
In addition to seeking to identify the version impact for previously disclosed vulnerabilities, the team attempted to determine the impact of the vulnerability itself. For example, they explored the question whether successful exploitation yields remote code execution or create a potential denial-of-service (DoS) attack? The findings obtained from this effort were disclosed to the Apache Struts team through responsible disclosure procedures.
Research also included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment. Given that development teams often cache “known good” versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.