It’s not all about Struts this week.

You’ve reached an archived blog post that may be out of date. Please visit the blog homepage for the most current posts.

About a month before the Equifax breach hit the news, Flexera took the virtual stage at one of FS-ISACs global threat update calls to alert about the dangers of Open Source Software in production environments when such software is not meticulously controlled and maintained. Jeff Luszcs and I highlighted Struts 2 as one of the most popular OSS components out there, and about the multiple vulnerabilities present in it. Don’t call us prophets, because we were not the only ones on a mission to alert the industry on this topic, but we do deserve credit for having the best team of researchers keeping an eye on vulnerabilities for over 14 years, and the best team of Open Source usage auditors that can pull this data for us.

This time, we also want to alert of a new Struts vulnerability of high risk that even though has a temporal work around, we absolutely recommend updating the software to version 2.3.35 or 2.5.17. See our advisory SA84844. Struts is highly visible after the infamous breach so we expect teams around the world to come up with a quick fix. However, it will probably be a fire drill for most, and a lot of the other valuable information and critical vulnerabilities will get lost in the chaos.

Make no mistake as to the importance of patching Struts now, as its visibility is likely to generate exploits quickly, but with a good security vulnerability management process, this should not catch you by surprise, and you should not have to defer the other vulnerabilities in your environment. It should just be a simple re-prioritization effort.

Here is why:

  • The same day this vulnerability was disclosed, Secunia Research documented 25 other vulnerabilities in software from Avaya, IBM, Ubuntu, SUSE, Photoshop, Symantec and phpMyAdmin amongst many others.
  • A Highly Critical vulnerability in the popular mozjs52 Spidermonkey JavaScript library for Ubuntu is also of consideration for operations teams. Advisory: SA84825
  • gtk2 for Suse also has a new update to fix about 5 vulnerabilities (some from last year!), with the most recent one being Highly Critical as deemed by Secunia Research with a CVSSv3 score of 8.8. Advisory: SA84816
  • Ghostsript is an OSS with a highly critical, not patched (yet) vulnerability that seems to affect ImageMagick, Evince, GIMP and other PDF/PS tools. Advisory: SA84781.
  • The popular mutt email client for various Linux flavors has a recently disclosed vulnerability with 9.8 score for most flavors of the OS. Many advisories have been issued, and we’ve seen this system installed in production servers. With a remote, highly critical vulnerability out there, we expect security teams to be on high alert.

Secunia Research has analyzed, verified, normalized and enriched over a quarter million vulnerabilities with an unprecedented accuracy and value to our customers and to the community. We do this because we believe that somebody has to make sense of all the noise out there, and allow security and operations professionals to work together to optimize their risk mitigation efforts.

Flexera also offers solutions for Software Composition Analysis. With these types of tools you can identify open source code pasted, reused or included in the code your developers are publishing to reduce the risk associated with vulnerabilities like Struts, or even legal matters related to Open Source Licenses. I suggest this post for further reading on these risks.

Stop reacting, gain control. Stay secure!.

Learn more about our Software Vulnerability Management solutions for security researchers and platform operations teams.


Tags: ,