Another remote code execution vulnerability in Apache's Struts2 Framework was disclosed late yesterday - leaving many feeling like they're having Deja Vu. This new vulnerability, identified and reported by Man Yue Mo from the Semmle Security Research Team, is quite similar to others we've seen, and led to high profile and devastating exploits.
CVE-2018-11776 is configuration dependent. It specifically requires you do not use Namespaces. While there are more nuances to this newest version, most configurations are common settings - meaning that if you're using this version of Struts2, you're likely vulnerable.
The public disclosure urgently advises organizations and developers using Struts to upgrade their components immediately to versions 2.3.35 and 2.5.17. As we know, previous public disclosures of similarly critical vulnerabilities have resulted in exploits published within a day, attacks in the wild within three days, and devastating damage to critical infrastructure and massive theft of customer data over time.
As we get so attuned to "another day, another new vuln," organizations around the world are left scrambling to respond to a brand new threat they just learned about within the last 24 hours. The good news, however, at least for those organizations that have embraced automated open source governance and DevOps-style continuous delivery practices, is that they are uniquely capable of responding.
In this instance, customers of Sonatype Nexus Repository were notified of CVE-2018-11776 yesterday morning, just hours after it was publicly disclosed. Additionally, their application security teams quickly identified which, if any, production applications contained the vulnerable component. Finally, their development teams automatically received step-by-step instructions to remediate the risk.
Separately, DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. According to a recent Forrester survey, 8% of organizations deploy once per day, 25% deploy once per week, and 68% of organizations deploy less than once per month on average.
In this new normal, organizations that actively govern open source hygiene and release software faster face significantly less risk than those that don't.
If you're not a Sonatype customer, and want to quickly find out if you're using the just announced, vulnerable version of Struts2 in a specific application, you can use Sonatype's free Application Health Check to quickly find out.
.jpg?width=150&height=150&name=fox-2016-1-sq%20(1).jpg)
Brian Fox, CTO and co-founder of Sonatype, is a Governing Board Member for the Open Source Security Foundation (OpenSSF), a Governing Board Member for the Fintech Open Source Foundation (FINOS), a member of the Monetary Authority of Singapore Cyber and Technology Resilience Experts (CTREX) Panel, a ...
Explore All Posts by Brian FoxTags
