TechQA.

how to remediate struts vulnerabilities

817 views Asked by At

I am working on a legacy application and recently I came to know there are vulnerabilities in struts 1 and struts 2 versions and found the following link through Google.

https://www.cvedetails.com/cve/CVE-2016-1182/

https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=6117&version_id=164427&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=3&sha=879cec76600e380d5c5eb51b0257e838f4dac6cf

Here I am confused how to remediate these vulnerabilities. Can any one guide me in this.

java security struts struts-1 struts1
Original Q&A
2

There are 2 answers

1
patrickm On

The best thing to do would be to upgrade to the latest version. Struts 1 is End of Life and won't receive any updates to fix any issues that still exist.

The latest versions of Struts 2 don't appear to have any published CVEs currently so I would recommend upgrading as soon as you can. It isn't a simple task to migrate to Struts2 with the huge differences but short of fixing the vulnerabilities in Struts1 yourself there is very little else you can do.

1
mattcousineau On

Apache Struts 1 reached it's EOL in December, 2008. Any official support was ceased at that time.

I've listed 3 options I've found while researching the same thing:

  • As someone else said in this thread, the safest bet would be to upgrade to Struts 2. Despite sharing the same name, they are completely different frameworks architecturally. I recently looked into this option for a project I'm working on, and I must warn that it can be a monumental task if you are working on a large codebase.
  • The Struts 1 - Struts 2 plugin - this plugin is used to wrap Struts 1 Actions and ActionForms into Struts 2 Action classes. You can use this to add some of the newer version's functionality for validation. You will need to research whether this is actively accepted and maintained, it's been a while since I've looked into it.
  • Create custom security patches for your legacy application.

Related Questions in JAVA

Related Questions in SECURITY

Related Questions in STRUTS

Related Questions in STRUTS-1

Related Questions in STRUTS1

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions