Struts2 Frequently Asked Questions
How do I determine if my organization is impacted by any Struts2 vulnerabilities?
An analysis of your applications will trigger a Security-High policy violation for the Struts2 vulnerability. If you are using Struts and did not have a violation raised, you can rest assured you are not affected.
How can I find a list of my applications that contain Struts?
Option 1: Use the Dashboard components view as described in the Lifecycle Dashboard article.
Option 2: Use the Advanced Search from the Lifecycle UI.
Option 3: Use the REST API to search for the component.
See Component Search REST API for how to create a call.
For example: org.apache.struts:struts2-rest-plugin:*:*:*
How should we remediate this issue?
Upgrade the component to the newly released non-vulnerable version. Please reference the in-product security vulnerability information for additional details for mitigating the vulnerability exposure.
How can we prevent future exploits?
It is almost impossible to avoid zero-day vulnerabilities. There will always be a time gap between the zero-day discovery and public reporting. There is another time gap between the public release and the vulnerability appearing in evaluation results. Immediate notification is a key element for limiting potential impact. Sonatype is often aware in advance of a new vulnerability announcement, enabling us to provide notice within IQ Server prior to the issue being released publicly. In other instances, we must perform the issue identification and research after the issues are publicly released. In these cases, we strive to include the vulnerability in our data within a few hours of the announcement.
There are additional preventative measures that can be established within your development practices that will better prepare your organization for these situations and decrease your time to respond. Contact Customer Success to learn more about how Sonatype Lifecycle and associated best practices can help.
Sonatype Repository Firewall Customers
Sonatype Repository Firewall can audit component downloads from a given proxy repository (Java, .NET, npm, Python). Users can view a report that contains all components, which have been previously downloaded to your Nexus Repository through that applicable proxy repository.
This report can be reviewed for any instance of Struts. Users can search for a particular Struts component (E.g. org.apache.struts:struts2-rest-plugin:*). In addition, the Firewall results include Sonatype-curated vulnerability information - for this CVE and others - only available to Sonatype “Firewall” and “Lifecycle” customers.
If this component is found, it indicates it was previously downloaded into your Nexus Repository. As a result, the component is available to applications with privileges to access that proxy repository. To associate a component to a specific application, please visit Sonatype’s “Application Health Check (AHC)” a no-cost service. To automate this monitoring across all applications, see “Sonatype Lifecycle” above.
Can Repository Firewall help with other known vulnerabilities?
In addition to auditing component downloads, Sonatype Repository Firewall is designed to quarantine component download requests based on IQ Server policy configuration. You can configure policy to quarantine new component downloads for known vulnerable versions of any component based on any range of criticality. Check out the blob post, "How to Keep Vulnerable Versions of Struts Out of Your Nexus Repository" for guidance on how this can be achieved.
Nexus Repository Pro Customers
Repository Health Check (RHC) can audit component downloads from a given proxy repository (Java, .NET, npm, Python). Users can view a report that contains all components, which have been previously downloaded to your Nexus Repository through that applicable proxy repository.
This report can be reviewed for any instance of Struts. Users can search for a particular Struts component (E.g. org.apache.struts:struts2-rest-plugin:*). In addition, the RHC report includes links to the associated CVE.
If this component is found, it indicates it was previously downloaded into your Nexus Repository. As a result, the component is available to applications with privileges to access that proxy repository. To associate a component to a specific application, please visit Sonatype’s “Application Health Check (AHC)” a no-cost service. To automate this monitoring across all applications, see “Sonatype Lifecycle” above.
How can Repository Health Check (RHC) help with other known vulnerabilities?
Enabling RHC on all supported repository types provides insight into component downloads across your proxy repositories. In addition, the report includes trend analysis determined by month-to-month asset downloads.
Additional information related to recent Struts2 vulnerability announcements
Sonatype Statements
http://blog.sonatype.com/sonatype-statement-struts2-and-equifax-breach
http://blog.sonatype.com/alert-three-things-to-know-about-the-newest-struts2-vulnerability
http://blog.sonatype.com/struts2-vulnerability-cracks-equifax
http://blog.sonatype.com/bracing-for-impact-in-more-ways-than-one-apache-struts2-s2-053
CVE-2018-11776 Disclosure