This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure. As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.
Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.
- How long before you even become aware?
- How long does it take you to assess your exposure?
- How quickly can you remediate the vulnerability?
In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle. Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days. Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.
It's now been 3 days since the Struts2 fix and disclosure. Here's the official description available from the Mitre database as of Friday, March 10th: