Over the past few years, a not-so-great holiday season tradition has been critical security vulnerabilities that come out at the last minute, prompting action and fast responses at a time when resources at the defending side are low.
On December 7, 2023, the Apache Struts project released new versions to patch a security vulnerability that initially was thought to be a Directory Traversal Issue, but was soon discovered to lead to potential attackers achieving Remote Code Execution with a few circumstances being right. The CVSS Score for the issue sits at a Critical 9.8. If you haven't done so, read our blog post about the details of this vulnerability.
Let's get this out of the system first - this isn't the next Log4Shell, nor is this as easy to exploit as the worst security vulnerability in history. However, that should not matter. This is exactly the type and severity of security vulnerability that lead to the historic breaches in 2017 and before.
Most risk associated with open source lies in its consumers choosing to stay on bad or outdated versions, as opposed to the project not providing fixes. In this, the Struts project has always been exemplary, creating fixes for issues very quickly. However, we have seen in previous research that the consumption side needs to pick up the pace to keep up.
The vulnerability now at hand contains three elements that lead to breaches:
it's easily automatable,
there are plenty of targets on the internet, and
lower staffing due to the holiday season at organizations to patch and notice attacks.
This is a recipe for disaster if not addressed properly - and similar things have happened before. For example, in 2017 the vulnerability that led to the famous breaches was actually classified as less serious than the one on hand now.
POC code for the vulnerability is available and organizations such as NHS UK, CISA and Cisco have already put out alerts advising users and administrators to apply patches as soon as possible. The slight silver lining is that there are conditions the software has to meet for it to be exploitable, but the best line of defense is to patch the issue out.
As custodians of Maven Central, we have a unique perspective on how many downloads the component gets, how fixes are adopted across the world, and how the fixes propagate. In the spirit of sharing information, we are today releasing a special dashboard to track and trace the spread and adoption of the fixed versions.
The risk of this vulnerability stems from two sources: Software you develop yourself using Struts, as well as software you operate that is built using it.
The affected component coordinate is struts2-core, in versions 2.0.0 to 2.5.2 and 6.0.0 to 6.3.0.1. The vulnerability stems from improper case handling in the HttpParameters class. Alongside the main component we have also seen this class in 1549 other artifacts that have borrowed the code.
Since the vulnerability came out at the time of writing, there have been well over 47,000 downloads of the affected main project. This is roughly 2-5k individual downloads a day, showcasing Strut's popularity in the Java world.
The affected component, - struts2-core, gets an average of 300,000 monthly download requests. Below, a diagram shows how downloads of the artifact in the last few months have remained relatively stable.
There are two main versions of struts2 - 2.x and 6.x. Out of the two, 2.x gets the most downloads despite the version number change occurring well over a year ago.
Another perspective is to ask how widely is struts2 deployed? Here, a little search engine skills can be of great help. Struts2 implements a specific type of URL schema, which ends in .action. Knowing that this vulnerability uses this handle, we can simply use search operators to seek out potentially affected services that provide upload forms.
Simply searching "upload filetype:action" reveals well over 1M potentially affected servers.
This type of vulnerability is interesting to look at because it is very representative of a serious security vulnerability that isn't gaining nearly as much media attention as some other vulnerabilities of this magnitude. At the time of writing, about 80% of all downloads of struts2-core are still vulnerable to the issue.
This is in contrast to the adoption curve of the Log4Shell fix, which shot up to about 40% vulnerable within the space of a few weeks. This is testament to the power of publicity, and unfortunately this pattern is not observed with this vulnerability, which is much more characteristic of most CVEs out there.
As we navigate the holiday season, the urgency to address the Struts2 vulnerability should be a high priority. The potential for remote code execution, reminiscent of the compromise that affected Equifax, underscores the need for swift action.
While not as severe as some high-profile cases like Log4j two years ago, these incidents serve as a reminder that open source, like any technology, requires vigilant maintenance. So, catalog your software and know your components. Additionally, create software bills of materials (SBOMs) and scan for struts2-core.
To delve deeper into the implications of the Struts2 vulnerability and understand why Sonatype Repository Firewall and Sonatype Lifecycle are more crucial than ever, join us for an insightful discussion tomorrow.
This webinar will provide valuable insights into mitigating the risks associated with the Struts2 vulnerability and offer a detailed understanding of Sonatype's solutions. Don't miss this opportunity to stay informed and better secure your software supply chain.
Finally, stay informed on the Struts2 vulnerability with Sonatype's dedicated resource center, which includes a dashboard of download statistics and insights.