We found that 24 Apache Struts Security Advisories incorrectly list impacted versions and that previously disclosed vulns affect an additional 61 versions.
It’s well understood that security information for open source projects often operates quite differently than that of commercial software. This is in large part due to the community aspect of open source development wherein consumers of open source components download and use a component, often without the knowledge or awareness of the open source developers or leadership for the component. When it comes to security information, this anonymity presents a challenge for those wishing to ensure they’ve correctly patched any security defects in their environment.
As part of the Synopsys commitment to strengthening open source governance, the Black Duck Security Research (BDSR) team within the Synopsys Cybersecurity Research Center (CyRC) performed a detailed analysis of the impact statements for vulnerability disclosures for the Apache Struts Framework. The test bed created within BDSR enables our researchers to validate and accurately reproduce vulnerability findings across the large number of component releases commonly found with open source development.
As part of our research effort, we investigated 115 distinct releases for Apache Struts and correlated these releases against the 57 existing Apache Struts Security Advisories covering 64 vulnerabilities. We found that 24 Security Advisories incorrectly stated the impacted versions for the vulnerabilities contained within the correlated advisory. In total, 61 additional unique versions of Struts were identified as being impacted by at least one previously disclosed vulnerability.
In addition to seeking to identify the version impact for previously disclosed vulnerabilities, we attempted to determine the impact of the vulnerability itself. For example, we explored the question, could successful exploitation yield remote code execution or create a potential denial-of-service (DoS) attack? The findings obtained from this effort were disclosed to the Apache Struts team through responsible disclosure procedures.
With such significant updates to a large range of published vulnerability advisories, it’s reasonable to ask what the potential impact to Struts users might be. In the 2019 Open Source Security and Risk Analysis (OSSRA) report, we found that 43% of the commercial software codebases analyzed contained vulnerabilities over ten years old. This reality speaks to the complexity of open source security and the importance of ensuring accurate version impact statements.
While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment. Given that development teams often cache “known good” versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.
Lastly, we’d like to highlight that the Apache Struts team has announced Struts 2.3 is nearing its end of life. Users of Struts 2.3 should be actively developing and executing plans to migrate to Struts 2.5 in a prudent manner.
Given the breadth of our reported observations, confirming the findings and updating the relevant security advisories took some time to complete. We wish to thank the Apache Software Foundation and the Apache Struts team for their diligence collaborating on this effort. All findings were updated on the Apache Struts Security Advisory page on August 13, 2019, and summarized in S2-058.