Another remote code execution vulnerability in Apache’s Struts2 Framework was disclosed late yesterday - leaving many feeling like they’re having Deja Vu. This new vulnerability, which was identified and reported by Man Yue Mo from the Semmle Security Research Team, is quite similar to others we’ve seen, and which led to high profile and devastating exploits.
CVE-2018-11776 is configuration dependent. It specifically requires that you are not using Namespaces. While there are more nuances to this newest version, most of the configurations are common settings - meaning that if you’re using this version of Struts2, you’re most likely vulnerable.
The public disclosure urgently advises organizations and developers using Struts to upgrade their components immediately to versions 2.3.35 and 2.5.17. As we know, previous public disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, attacks in the wild within three days, and devastating damage to critical infrastructure and massive theft of customer data over time.
As we get so attuned to “another day, another new vuln,” the result is that organizations around the world are left scrambling to respond to a brand new threat that they just learned about within the last 24 hours. The good news however -- at least for those organizations that have embraced automated open source governance and DevOps-style continuous delivery practices -- is that they are uniquely capable of responding.
In this instance, customer’s of Sonatype Nexus were notified of CVE-2018-11776 yesterday morning -- just hours after it was publicly disclosed. Additionally, their application security teams were able to rapidly identify which, if any, production applications contained the vulnerable component. Finally, their development teams automatically received step-by-step instructions to remediate the risk.
Separately, DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. According to a recent Forrester survey, 8% of organizations deploy once per day, 25% deploy once per week, and 68% of organizations deploy less than once per month on average.
In this new normal, organizations that actively govern open source hygiene and release software faster face significantly less risk than those that don’t.
If you're not a Sonatype customer, and want to quickly find out if you're using the just announced, vulnerable version of Struts2 in a specific application, you can use Sonatype's free Application Health Check to quickly find out.