It’s one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it’s reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution disclosures this year, and that’s quite a lot.
The easy answer to the question is “it depends.” Sorry folks, but I couldn’t resist going back to my consulting days with that one — but it’s true. What I want to do with this blog post is highlight some of the factors that should be part of your analysis — and they’re all positive items.
While Struts is currently under increased scrutiny due to the visibility of the Equifax breach and recent vulnerability announcements, project stats for Apache Struts, publicly available on Black Duck Open Hub, show that new versions have had relatively few vulnerabilities reported against them.
The Black Duck KnowledgeBase™ tracks open source project activity occurring on over 10,000 sites for projects of widely varying size, maturity and sophistication. Apache maintains a strong and active community, and their development and testing practices are as good as or better than many commercial software development teams. In both cases, flaws, including security vulnerabilities, can and do make their way into the code and may only be discovered years later. Consider this post from René Gielen on the role of Struts in the Equifax data breach. In it he not only provides some clear recommendations for proper application hygiene, but also directly addresses a question I hear quite regularly “if the vuln is so old, why is it only being fixed now?” In the post, René states:
“One has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years…. What we saw here is common software engineering business –people write code for achieving a desired function, but may not be aware of undesired side-effects.”
So, in the face of multiple potential remote code execution disclosures in a single week, how do you keep pace?
The easy answer is you need to have both a clear view of which applications are using Struts, and a way to proactively monitor for new security disclosures. If that system can also point you to public exploit code you can use to validate if your defenses are working properly, so much the better.
In the end, only you can decide if you are comfortable using Apache Struts, but it’s important to remember that all software, be it open source or proprietary, will have security issues. If you’re dependent upon any third party components or software, you need to be proactively monitoring for new security issues regardless of where they’re reported. Black Duck Hub can help with that, and together we can minimize the work required to build and maintain secure applications and containers.