CODEWITHSUNDEEP
javasecuritystrutsstruts-1struts1
raajaag
raajaag

Reputation: 175

how to remediate struts vulnerabilities

I am working on a legacy application and recently I came to know there are vulnerabilities in struts 1 and struts 2 versions and found the following link through Google.

https://www.cvedetails.com/cve/CVE-2016-1182/

https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=6117&version_id=164427&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=3&sha=879cec76600e380d5c5eb51b0257e838f4dac6cf

Here I am confused how to remediate these vulnerabilities. Can any one guide me in this.

Upvotes: 0

Views: 1193

Answers (2)

patrickm
patrickm

Reputation: 91

The best thing to do would be to upgrade to the latest version. Struts 1 is End of Life and won't receive any updates to fix any issues that still exist.

The latest versions of Struts 2 don't appear to have any published CVEs currently so I would recommend upgrading as soon as you can. It isn't a simple task to migrate to Struts2 with the huge differences but short of fixing the vulnerabilities in Struts1 yourself there is very little else you can do.

Upvotes: 1

mattcousineau
mattcousineau

Reputation: 56

Apache Struts 1 reached it's EOL in December, 2008. Any official support was ceased at that time.

I've listed 3 options I've found while researching the same thing:

  • As someone else said in this thread, the safest bet would be to upgrade to Struts 2. Despite sharing the same name, they are completely different frameworks architecturally. I recently looked into this option for a project I'm working on, and I must warn that it can be a monumental task if you are working on a large codebase.
  • The Struts 1 - Struts 2 plugin - this plugin is used to wrap Struts 1 Actions and ActionForms into Struts 2 Action classes. You can use this to add some of the newer version's functionality for validation. You will need to research whether this is actively accepted and maintained, it's been a while since I've looked into it.
  • Create custom security patches for your legacy application.

Upvotes: 1

Related Questions