Heads Up: There’s a New Struts 2 Vulnerability in Town.

Secure your Open Source Software now.

About a month before the Equifax breach hit the news, Flexera took the virtual stage at one of FS-ISACs global threat update calls to alert about the dangers of Open Source Software in production environments when such software is not meticulously controlled and maintained.  Alejandro Lavie and Jeff Luszcz highlighted Struts 2 as one of the most popular OSS components out there, and discussed the multiple vulnerabilities found in it. We certainly aren’t prophets because we weren’t the only experts on a mission to alert the industry on this topic. However, modestly, we deserve credit for having the best team of researchers keeping an eye on vulnerabilities for over 14 years, and the best team of open source usage auditors that can pull this data.

Today, we want to sound the alert of a new high-risk Struts vulnerability that, even though it has a work around, we absolutely recommend updating the software to version 2.3.35 or 2.5.17. See our advisory here and search using the code CVE-2018-11776.

Struts is highly visible after the infamous breach so we expect teams around the world to come up with a quick fix. Granted, it will probably be a fire drill for most and a lot of the other valuable information and critical vulnerabilities will get lost in the chaos.

Make no mistake how important it is to patch Struts now, as its visibility is likely to generate issues quickly. With a good security vulnerability management process this shouldn’t catch you by surprise, and you shouldn’t t have to forget about the other vulnerabilities in your environment. It’s more of a re-prioritization effort. Here’s why:

  • The same day this vulnerability was disclosed, Flexera’s Secunia Research documented 25 other vulnerabilities in software from Avaya, IBM, Ubuntu, SUSE, Photoshop, Symantec and phpMyAdmin amongst many others.
  • A Highly Critical vulnerability in the popular mozjs52 Spidermonkey JavaScript library for Ubuntu is also of consideration for operations teams.
  • gtk2 for Suse also has a new update to fix about 5 vulnerabilities (some from last year!), with the most recent one being Highly Critical as deemed by Secunia Research with a CVSSv3 score of 8.8.
  • Ghostscript is an OSS with a highly critical, not patched (yet) vulnerability that seems to affect ImageMagick, Evince, GIMP and other PDF/PS tools.
  • The popular mutt email client for various Linux flavors has a recently disclosed vulnerability with 9.8 score for most flavors of the OS. Many advisories have been issued, and we’ve seen this system installed in production servers. With a remote, highly critical vulnerability out there, we expect security teams to be on high alert.

Secunia Research has analyzed, verified, normalized and enriched over a quarter million vulnerabilities with an unprecedented accuracy and value to Flexera customers and to the community. Together with our Software Composition Analysis solution, we track, analyze and remediate vulnerabilities in applications. We do this because we believe that somebody has to make sense of all the noise out there, and allow security and operations professionals to work together to optimize their risk mitigation efforts.

Flexera offers the tools you need to identify open source risk, reduce your potential exposure, and manage any legal matters related to open source licensing.

Well publicized events like this offer you a great opportunity to improve your processes and take control of your OSS security, compliance and legal responsibilities while addressing vulnerabilities quickly.

Category: General

Leave a Reply

Your email address will not be published. Required fields are marked *