This fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used. Additionally, these tools only have plug-ins for a handful of the vulnerabilities reported in open source components each year. Companies that rely solely on the tools are blind to the thousands of vulnerabilities in open source each year for which plug-ins aren’t built.
There is a simpler way to handle these incidents, and it’s not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago. It’s called a bill of materials; a detailed listing for all parts used in a vehicle. When a recall is issued for a part such as an airbag, the OEMs don’t have to scan every vehicle manufactured to discover which ones are using the defective part. Through the bill of materials, they know precisely which vehicles are affected, down to the VIN.
Doing the same with software — maintaining an accurate list of all components used in each application — makes incident response much easier when vulnerabilities like this are disclosed. While a software bill of materials won’t tell you whether or not the vulnerabilities are exploitable — you still need Tenable or Rapid7 for that — it will allow you to quickly know which applications are potentially vulnerable and save your security team hours or days of assessment time.
For now, if you don’t need REST remove the plug-in. As soon as possible, users are advised to update the components of Apache Struts to versions 2.3.34 and 2.5.13, per the LGTM security team.