Security researchers have reviewed security advisories for Apache Struts and found that two dozen of them inaccurately listed affected versions for the open-source development framework.
The advisories have since been updated to reflect vulnerabilities in an additional 61 unique versions of Struts that were affected by at least one previously disclosed vulnerability but left off the security advisories for those vulnerabilities.
The extensive analysis was done by the Black Duck Security Research (BDSR) team of Synopsys’ Cybersecurity Research Center (CyRC), which investigated 115 distinct releases for Apache Struts and correlated those releases against 57 existing Apache Struts Security Advisories covering 64 vulnerabilities.
Synopsys’ Tim Mackey said in a blog post on Thursday that the danger isn’t that developers and users may have upgraded needlessly. Rather, the real danger is that needed updates may not have happened:
While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment. Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.
Case in point: Equifax
Promptly patching security vulnerabilities in Apache Struts is a vital task: you can ask Equifax all about possible ramifications of failing to do so. Equifax blamed a nasty server-side remote code execution (RCE) bug (CVE-2017-5638) for the massive data breach of 2017. The patch had been available for months before the breach, it turned out, but Equifax hadn’t applied it.
Synopsys’ BDSR explored questions such as whether successful exploitation of the versions that got left out of previous security advisories would yield RCE or leave a system vulnerable to a denial-of-service (DoS) attack.
Moderate risk, but still, update!
BDSR determined that the maximum security rating for the incorrectly listed version ranges of affected releases is moderate. The researchers disclosed the newly discovered affected versions to the Apache Struts team through responsible disclosure procedures.
Mackey pointed out that the Apache Struts team has announced that Struts 2.3 is nearing its end of life:
Users of Struts 2.3 should be actively developing and executing plans to migrate to Struts 2.5 in a prudent manner.
Who to blame?
This is open-source. You can’t easily lay blame for a gaffe like this or figure out if you’ve correctly patched security issues in a given component, Mackey pointed out in his post:
It’s well understood that security information for open source projects often operates quite differently than that of commercial software. This is in large part due to the community aspect of open source development wherein consumers of open source components download and use a component, often without the knowledge or awareness of the open source developers or leadership for the component. When it comes to security information, this anonymity presents a challenge for those wishing to ensure they’ve correctly patched any security defects in their environment.