What is Apache Struts?
Introduction
Apache Struts is an open-source Java MVC framework that allows you to build enterprise-ready applications, extending the Java Servlet API. The framework is written by the Apache foundation and maintained by them.
Without Apache Struts, how a standard Java application works, is that, first, it receives data through a web form submitted by the client. From there, this information is passed on to the Java Server or Java Servlet pages. Inside Java Servlet, this information interacts with the database and creates an HTML response. Here, pages can be used to blend Java and HTML code.
Now the problem with this approach is that though it is straightforward, it can potentially create maintenance problems and debugging can be very difficult. Apache Struts addresses this problem.
How does Apache Struts work?
Apache Struts helps in fixing this problem by introducing the controller. The main purpose of the controller is to control the information that's passed between the model and view components. While the purpose of the model and view components is almost identical, the model component has all the application logic that interacts with the database and the view component is the part on the client-side.
Vulnerabilities
A lot of vulnerabilities related to security have been reported in Apache Struts. Most of them are attributed to the Object Graph Navigation Library which Struts uses behind the scenes.
Some of these vulnerabilities can be really harmful since they can potentially allow intruders to exploit the weaknesses in the framework. The possible ways through which it can be done is remote code execution which can potentially allow an intruder to take control of the server on which your code is hosted.
Some vulnerabilities related to cross-site scripting and denial of service were found in the first versions of Struts. After that most of the vulnerabilities found have been related to OGNL.
Later on, in 2017, the same version of Apache Struts allowed remote code execution. The company recommended users upgrade to version 2.3.32 or 2.5.10.1 of Apache Struts at that time.
Solution
As a software engineer, it's important for us to know the importance of security and the loopholes in the frameworks and languages we are using.
You might have observed that frameworks are occasionally updated. One of the main reasons for doing so is to fix the security issues reported by users and researchers. Alongside that, if the framework that you are using has some inherent issues you can report it to the core development team so that they can fix it. Another option is to maintain your own fork of that particular framework and fix issues for yourself, but that might mean investing some time in maintaining it.
Another important aspect in this regard is the best practices that you want to follow as a software engineer. As a developer, things like performing static analysis of codes, following the best practices of the tools and frameworks you are using, and knowing the ins and outs of language become key.
In this regard, you can use a tool like WhiteSource. A big advantage of these kinds of tools is that they also keep an eye on the vulnerabilities in the packages and libraries you are using. Whenever some security issue is reported in any one of those packages, they will automatically open a pull request so that you can fix the vulnerability by either updating the package or modifying the code. After that, you can merge your pull request with the code.
The main advantage of WhiteSource is that it offers features like repo integration, static analysis, and continuous security. Alongside that, it can provide you with real-time analysis of your code, which can be really handy for finding potential vulnerabilities in the code before running the code itself.
With WhiteSource, what you can do is that you can actually run a lot of processes to see the possible loopholes in your code. This allows you to remove any older versions of the libraries and packages you are using. It also offers to do static analysis of your code which can help in avoiding any mistakes that can cause a potential vulnerability.
Conclusion
As a software engineer, understanding how to automate and taking advantage of automation is really necessary. You can't take care of everything manually. So, automated processes ensure that you don't forget anything and that everything is properly logged too. This will save you a lot of pain in the future.