Another remote code execution vulnerability in Apache's Struts2 Framework was disclosed late yesterday - leaving many feeling like they're having Deja Vu. This new vulnerability, identified and reported by Man Yue Mo from the Semmle Security Research Team, is quite similar to others we've seen, and led to high profile and devastating exploits.
CVE-2018-11776 is configuration dependent. It specifically requires you do not use Namespaces. While there are more nuances to this newest version, most configurations are common settings - meaning that if you're using this version of Struts2, you're likely vulnerable.
The public disclosure urgently advises organizations and developers using Struts to upgrade their components immediately to versions 2.3.35 and 2.5.17. As we know, previous public disclosures of similarly critical vulnerabilities have resulted in exploits published within a day, attacks in the wild within three days, and devastating damage to critical infrastructure and massive theft of customer data over time.
As we get so attuned to "another day, another new vuln," organizations around the world are left scrambling to respond to a brand new threat they just learned about within the last 24 hours. The good news, however, at least for those organizations that have embraced automated open source governance and DevOps-style continuous delivery practices, is that they are uniquely capable of responding.
In this instance, customers of Sonatype Nexus Repository were notified of CVE-2018-11776 yesterday morning, just hours after it was publicly disclosed. Additionally, their application security teams quickly identified which, if any, production applications contained the vulnerable component. Finally, their development teams automatically received step-by-step instructions to remediate the risk.
Separately, DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. According to a recent Forrester survey, 8% of organizations deploy once per day, 25% deploy once per week, and 68% of organizations deploy less than once per month on average.
In this new normal, organizations that actively govern open source hygiene and release software faster face significantly less risk than those that don't.
If you're not a Sonatype customer, and want to quickly find out if you're using the just announced, vulnerable version of Struts2 in a specific application, you can use Sonatype's free Application Health Check to quickly find out.
.jpg?width=150&height=150&name=fox-2016-1-sq%20(1).jpg)
Brian Fox, CTO and co-founder of Sonatype, is a Governing Board Member for the Open Source Security Foundation (OpenSSF), a Governing Board Member for the Fintech Open Source Foundation (FINOS), a member of the Monetary Authority of Singapore Cyber and Technology Resilience Experts (CTREX) Panel, a member of the Apache Software Foundation and former Chair of the Apache Maven project. Working with OpenSSF, Brian helped create The Open Source Consumption Manifesto, urging organizations to elevate awareness of open source usage. He also chaired efforts to provide official responses to requests for information from the The Office of the National Cybersecurity Directorate (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA). Within the Atlantic Council's Open Source Policy Network, Brian actively helps shape cybersecurity strategy, offering valuable insights on critical documents, such as ONCD's recent National Cyber Security Strategy. Brian has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other security and development-related conferences.
Explore All Posts by Brian FoxTags
