0-Day vulnerabilities in Apache Struts: a plague for companies?

In the last months, Apache Struts was afflicted by some serious 0-Day vulnerabilities, that allows remote code execution on unpatched hosts


Every security expert trembles with fear when he reads “RCE” (Remote Code Execution) on a disclosure document, and read it often in a few months, especially when it concerns a popular product like Apache Struts, really puts a strain even the most seraphic technician.


Remote Code Execution?

Remote code execution is the ability an attacker has to access someone else’s computing device and make changes.

Vulnerabilities can provide an attacker the ability to execute malicious code and take complete control of an affected system with the privileges of the user running the application. After gaining access to the system, attackers will often attempt to elevate their privileges.

Concerning Apache Struts, in the last 12 months four vulnerabilities was marked with a “10” CVSCC score:

https://www.cvedetails.com/cve/CVE-2016-0785/
https://www.cvedetails.com/cve/CVE-2016-0785/
https://www.cvedetails.com/cve/CVE-2016-0785/
https://www.cvedetails.com/cve/CVE-2016-0785/

The last of them was especially analyzed in an interesting article on RiskIQ blog:

Versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10 have a bug that allows remote code execution on any server that is running a web application developed with these code versions. Specifically, the Jakarta multipart parser mishandles Content-Type headers, allowing an attacker to deploy OGNL to execute commands remotely, as detailed in this post from Qualys.

Every new vulnerability involves a not exactly easy mitigation:

Apache Struts 2 is an open-source web application framework for developing Java EE web applications, so…

…to alleviate the vulnerability, each of these web applications must be recompiled with a patched version of Struts. However, because these code versions have been around for several years, many of the apps developed with them may not be actively maintained and are unlikely to be updated anytime soon. Additionally, recompiling applications with patched code takes time and may break them. Finally, finding servers running these vulnerable applications is incredibly difficult, a challenge our Customer Success team was forced to tackle while assisting our customers worried about the Struts vulnerability.

At this point, my point of view is:

is it worth for a company to continue rely on a product with all these (serious) security problems?

Especially when alternatives are available Open Source just as valid as Spring or Google Web Toolkit.


Some references

https://www.cvedetails.com/cve/CVE-2016-0785/
https://www.cvedetails.com/cve/CVE-2016-0785/
https://www.cvedetails.com/cve/CVE-2016-0785/
https://www.cvedetails.com/cve/CVE-2016-0785/

Comments