On Aug. 22, the Apache Software Foundation announced that a new critical remote code execution vulnerability was found in Apache Struts 2 (CVE-2018-11776). According to the Semmle Security Research Team, who first identified and reported the vulnerability, this flaw is "more critical" than the Struts vulnerability behind the massive data breach that exposed the personal information of 143 million Americans in March of last year. The remote code execution vulnerability impacts all supported versions of Apache Struts 2. This means that any applications developed using the framework, most popularly used for developing Java-based applications, are potentially at risk (depending on the configuration) – even when additional plugins have not been enabled.
In the State of Software Security Volume 8, Veracode found that most open source components remain unpatched once they're built into software, and that 88 percent of Java applications had at least one component-based flaw. In the analysis of the “Struts-Shock” flaw disclosed in March 2017, our research showed that 68 percent of Java applications using the Apache Struts 2 library were using a vulnerable version of the component in the weeks following the initial attacks.
Open source components like Apache Struts 2, as well as commercial components, have become a foundational element in modern software development, as they allow developers to repurpose functional code and increase speed-to-delivery. In fact, our research indicates that between 80 percent to 90 percent of an application is made up of commercial or open source components. And when a bug can be found in a component, it means that same bug can be found in any and all applications that use that component.
All of this brings to mind that old saying, "fast, good or cheap - pick two," and in many ways, the evolution of development from waterfall to agile to DevOps has seemingly forced many organizations to fall into this trap. It's understood that with increased speed, there is also increased risk – a chance many development and security teams have been reluctantly willing to take in order to hit their deadlines.
But the reality is that security doesn’t have to be sacrificed for speed. Application security testing tools have advanced beyond the point of anyone's rightful ability to bury his or her head in the sand. Software Composition Analysis (SCA) is a powerful way to identify security and license risks from open source libraries early so that you can reduce unplanned work. Technologies like SourceClear are able to show you what open source components are being used, which vulnerable libraries are in place, and if you're using them in a way that makes your company vulnerable.
The discovery of this new vulnerability in Apache Struts highlights the fact that organizations are still struggling to maintain the security of their applications. Knowledge is power. Our advice is to ensure that open source library security is a part of your application security program. This empowers you to take advantage of the alerts and notifications of newly discovered vulnerabilities so that you can check them against your own inventory to understand their exposure and the best way to mitigate risk.