Apache Struts Vulnerabilities Burden Us With a ‘Stay or Go’ Deliberation

There’s never a dull moment with Apache Struts. Aside from ongoing remote code execution vulnerabilities which seem to be announced on an ongoing basis, every year, by recent count, a high-profile vulnerability is publicized that sparks the age-old debate anew: should I continue using Apache Struts or should I migrate to a different framework?

Apache struts ranked 24 among most popular open source frameworks

Apache Struts ranked no. 24 with a score of 64 amongst most popular frameworks
https://hotframeworks.com/ 

In 2017 it was CVE-2017-5638 that brought down credit bureau Equifax, followed by remote execution vulnerability CVE-2017-9805 several months later. In August of this year, it was CVE-2018-11776 that threatened to be even more impactful than its predecessor from the year before.

After 18 years on the market, the Apache Struts project is still widely used by enterprises globally, with estimates suggesting that in 2017 at least 65 percent of the Fortune 100 companies relied on web applications built with the Apache Struts framework. It is estimated that 57 percent of companies continue to expand their use of Apache Struts this year. Failing to ensure Apache Struts vulnerabilities are not present in your code leaves many users at risk of exploitation.

The widespread use of Struts by leading enterprises, along with the proven impact of the vulnerabilities found in it, highlights the very contemplation around the continued use of Struts 2. Stay or go? Migrate to a competing framework or push through. Well, it’s a matter of weighing the benefits against the drawbacks and to help you weed through the debate, we’ve done the legwork and listed the top pros and cons.

Apache Struts Vulnerabilities Suffer from Perils of Age

Con
Struts is a mature and well-maintained project, but its maturity comes at an inevitable cost of calcification. Like most legacy applications (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Anat Richter. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/apache-struts-vulnerabilitie