Important: Apache Struts Framework Security Alert


August 13, 2013 By Derek Weeks

The popular Apache Struts Framework, a toolkit used to build many of today’s web applications, has a critical vulnerability that was recently announced by the Struts team at Apache. The National Institute of Standards and Technology (NIST) has added the exposure to the National Vulnerability Database and assigned a critical score (9.3 out of 10).

Given the widespread usage of Struts and the critical nature of this vulnerability, it is imperative that affected organizations react to this news. Sonatype researchers were able to validate the exploitability of web applications built on Struts, and Sonatype has done additional research that can help guide your response.

What is the first step? Awareness. Over the last 12 months, more than 6,000 organizations have downloaded affected versions of Struts. To exacerbate this problem, some form of this vulnerability is apparent in the many versions of Struts that have been released through the years. Does this vulnerability exist in your organization? Unfortunately there is not a simple answer for most organizations given the number of applications that they have, the accessibility to Struts, the reliance on distributed development and outsourcing efforts, the complexity of today’s component-based applications, and the lack of visibility that organizations have into their inventory of components and frameworks.

Given that more than 80% of a modern web application is comprised of components such as Struts, there are a number of considerations that you should take into account. Here are several examples:

  • Accurate Inventory: Maintaining an inventory of applications and a comprehensive bill of materials for those applications is critical to preserving adequate levels of visibility.
  • Automated Policies: Providing guidance or enforcing action directly in the tools that developers use based on automated security, licensing and architecture policies helps protect the entire software lifecycle.
  • Continuous Monitoring: The ability to continuously monitor the ecosystem for new disclosures, quickly diagnose risk, and appropriately acting to mitigate risk can only be possible (or efficient, anyway) in the context of the situational awareness enabled by such knowledge and visibility.

Sonatype believes organizations that build and deliver trusted applications fast and efficiently will realize competitive differentiation. To achieve this, you need to effectively manage components throughout the entire software lifecycle.

Sonatype has been on the forefront of creating tools to manage, organize, and better secure components since the inception of the Central Repository and Maven in 2001. Partnering with developers, security professionals and the open source community,

Sonatype has introduced a way to keep pace with modern software development without sacrificing software integrity, a solution we call Component Lifecycle Management (CLM).

To help organizations deal with the Struts vulnerability and to help demonstrate the value provided by the CLM’s rich component intelligence, Sonatype has produced a security advisory for the Apache Struts vulnerability (CVE-2013-2251) available here.

  • John Doe

    Vulnerability is known for almost a month already and you areposting an alert only now? Great responsive job, guys.
    Having the fact that most of the article is nothing but an advertising – I don’t see any sense in it.

    • Brian Fox

      For the last month we have been working with our customers to ensure they are informed. This is the prudent thing to do before we publicized it further.