Apache Security Advisories Red Flag Wrong Versions in Patching Gaffe

Up to 24 Apache Struts Security Advisories listed the wrong versions that were impacted by vulnerabilities, researchers warn.

Researchers have pinpointed errors in two dozen Apache Struts security advisories, which warn users of vulnerabilities in the popular open-source web app development framework. They say that the security advisories listed incorrect versions impacted by the vulnerabilities.

The concern from this research is that security administrators in companies using the actual impacted versions would incorrectly think that their versions weren’t affected – and would thus refrain from applying patches, said researchers with Synopsys who made the discovery, Thursday.

“The real question here from this research is whether there remain unpatched versions of the newly disclosed versions in production scenarios,” Tim Mackey, principal security strategist for the Cybersecurity Research Center at Synopsys, told Threatpost. “In all cases, the Struts community had already issued patches for the vulnerabilities so the patches exist, it’s just a question of applying them.”

Synopsys researchers said that they investigated 115 releases of Apache Struts and correlated them against 57 existing Apache Struts security advisories that covered a total of 64 vulnerabilities. From there, they found that 24 security advisories incorrectly stated the impacted versions.

In addition, researchers found that previously-disclosed vulnerabilities affect an additional 61 versions that weren’t listed in the original security advisories.

“What we’ve uncovered could be best described as a situation where someone might look at their existing deployment and incorrectly conclude they were free from the impact of a given vulnerability and then defer patching,” Mackey told Threatpost. “It is that false level of confidence which is the real danger as in such a situation the triage effort gave a proverbial ‘thumbs up’ when in reality there was an issue needing patching.”

Impacted Apache Struts software versions that were part of the erroneous advisories range from versions 2.0.0 to 2.5.12.

The full list of impacted security bulletins with impacted version changes can be found here. They include advisories for CVEs issued between 2008 and 2017, such as CVE-2017-12611, CVE-2017-9793 and CVE-2017-9791.

Apache Software Foundation, the nonprofit corporation that supports Apache software products, said that the CVE entries have been updated to reflect corrections for impacted versions, as well as versions that contain the appropriate fixes. Regardless, developers are urged to upgrade to the latest Security Bulletin (at least S2-057), which is Struts version 2.3.35 or Struts 2.5.17.

“The Apache Struts Security Team would like to announce that a number of historic Struts Security Bulletins and related CVE database entries contained incorrect affected release version ranges,” according to a Thursday post by the Apache Software Foundation in response to the findings. “The Apache Struts Security Team worked with the reporters to cross-check said issues and map them to affected Apache Struts General Availability (GA) releases.”

The research sheds light on the fact that “determining the true impacted version range for a given vulnerability is particularly hard, resource intensive work which often results in concessions to those resources,” said Mackey.

However, because Apache Struts is in an open source context, it throws more wrenches into the process, as  project owners don’t always know which versions are in use in the real world given the anonymous nature of downloading an open source component.

“It’s… important that we recognize that “right vs wrong” isn’t something we can really say in this context,” Mackey told Threatpost. “When that happens, the proverbial ‘and prior versions; statement will tend to be used in a vulnerability disclosure. Unfortunately, just because a vendor or author chooses to limit the scope of their testing doesn’t always reflect the reality of which versions remain in use. This pattern is quite common for both open source and proprietary vulnerability disclosures, but is made more difficult with open source projects.”

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles