Security researchers have discovered an open source code vulnerability (CVE-2017-5638) in Apache Struts 2 – (report). The software is used widely by software developers in the financial services industry to build Java web applications. The vulnerability is being used in cyber attacks right now. Users are advised to urgently update Struts, which Apache patched earlier this week. Mike Pittenger, Head of Security Strategy at Black Duck Software, which helps organisations to manage and secure their open source commented below.
Mike Pittenger, Head of Security Strategy at Black Duck Software:
“Obviously, zero day vulnerabilities are a problem, in particular when an exploit is publicly available as in this case. By definition, no patch exists for zero day vulnerabilities, and the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble. A vulnerability in a component as popular as Struts creates a very target-rich environment for attackers, and an exploit already has been reported to be in the wild.”
“Fortunately, the community was quick to create, test, and release a patch. Unfortunately, it is likely that this vulnerability will cause problems for years to come. Black Duck’s 2016 on-demand audit report showed the average age of vulnerabilities in open source used in commercial applications was over five years old, and over 10% still were vulnerable to Heartbleed. This is evidence that even well publicized vulnerabilities are not being addressed. As to this issue, last year we found Apache Struts in over 10% of the applications we tested. When Struts was used, almost 20% of the time we found multiple versions of Struts in a single application, and almost 10% had three or more versions, further complicating remediation for a vulnerability like this. Unless organizations are diligent about tracking the open source they are using, and vulnerabilities as they are disclosed, these issues don’t get addressed.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.