We found that 24 Apache Struts Security Advisories incorrectly list impacted versions and that previously disclosed vulns affect an additional 61 versions.
It’s well understood that security information for open source projects often operates quite differently than that of commercial software. This is in large part due to the community aspect of open source development wherein consumers of open source components download and use a component, often without the knowledge or awareness of the open source developers or leadership for the component. When it comes to security information, this anonymity presents a challenge for those wishing to ensure they’ve correctly patched any security defects in their environment.
As part of the Synopsys commitment to strengthening open source governance, the Black Duck Security Research (BDSR) team within the Synopsys Cybersecurity Research Center (CyRC) performed a detailed analysis of the impact statements for vulnerability disclosures for the Apache Struts Framework. The test bed created within BDSR enables our researchers to validate and accurately reproduce vulnerability findings across the large number of component releases commonly found with open source development.
As part of our research effort, we investigated 115 distinct releases for Apache Struts and correlated these releases against the 57 existing Apache Struts Security Advisories covering 64 vulnerabilities. We found that 24 Security Advisories incorrectly stated the impacted versions for the vulnerabilities contained within the correlated advisory. In total, 61 additional unique versions of Struts were identified as being impacted by at least one previously disclosed vulnerability.
In addition to seeking to identify the version impact for previously disclosed vulnerabilities, we attempted to determine the impact of the vulnerability itself. For example, we explored the question, could successful exploitation yield remote code execution or create a potential denial-of-service (DoS) attack? The findings obtained from this effort were disclosed to the Apache Struts team through responsible disclosure procedures.
With such significant updates to a large range of published vulnerability advisories, it’s reasonable to ask what the potential impact to Struts users might be. In the 2019 Open Source Security and Risk Analysis (OSSRA) report, we found that 43% of the commercial software codebases analyzed contained vulnerabilities over ten years old. This reality speaks to the complexity of open source security and the importance of ensuring accurate version impact statements.
While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment. Given that development teams often cache “known good” versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.
Lastly, we’d like to highlight that the Apache Struts team has announced Struts 2.3 is nearing its end of life. Users of Struts 2.3 should be actively developing and executing plans to migrate to Struts 2.5 in a prudent manner.
Given the breadth of our reported observations, confirming the findings and updating the relevant security advisories took some time to complete. We wish to thank the Apache Software Foundation and the Apache Struts team for their diligence collaborating on this effort. All findings were updated on the Apache Struts Security Advisory page on August 13, 2019, and summarized in S2-058.
Tim Mackey is a principal security strategist within the Synopsys CyRC (Cybersecurity Research Center). He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, Black Hat, Open Source Summit, KubeCon, OSCON, DevSecCon, DevOpsCon, Red Hat Summit, and Interop. Tim is also an O'Reilly Media published author and has been covered in publications around the globe including USA Today, Fortune, NBC News, CNN, Forbes, Dark Reading, TEISS, InfoSecurity Magazine, and The Straits Times. Follow Tim at @TimInTech on Twitter and at mackeytim on LinkedIn.