Sign in / up

back to article Four in five Apache Struts 2 downloads are for versions featuring critical flaw

Security vendor Sonatype believes developers are failing to address the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, based on recent downloads of the code. The vulnerability, tracked as CVE-2023-50164, is rated 9.8 out of 10 in terms of CVSS severity. It is a logic bug in the framework's …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Rich 2 Silver badge

    So…..

    Why didn’t they take the faulty versions of the code off the server so it couldn’t be downloaded?

    Is it me????

    11 0 Reply
    1. b0llchit Silver badge
      Reply Icon
      FAIL

      Re: So…..

      That may not be possible without severely breaking your source if you do builds from (a copy of) the source repository and use tags/branches or local hacks. These are cases where you need explicit action.

      However, for pre-compiled builds, which apparently are the problem case here,... Well, because automated idiocracy is evolutionary predetermined?

      But seriously, it is obvious that any pre-compiled version should be "unavailable" from the stream, but historically available by other means.

      7 1 Reply
    2. Avalanche
      Reply Icon

      Re: So…..

      Maven Central is effectively write-once. Once deployed, artifacts are not removed (except maybe in cases of copyright violation). They don't want to break reproducible builds, and people rely on this. Removal of artifacts with (security) bugs can have all kinds of knock-on effects, including problems for people trying to reproduce problems with a specific released version.

      2 0 Reply
  2. F. Frederick Skitty Silver badge

    Struts is very much a legacy technology in the Java world, so I expect it's being used in old projects where the developers are reluctant to change even a library version for fear of breaking things. The last project I used Struts on was in 2006, at which point it was already falling out of favour thanks to the rise of the Spring framework. Although it could be used with Spring, that framework's own MVC library was much easier to work with. That was also a time when unit testing was still a struggle to enforce on projects - I recall many frustrating meetings with project managers and stakeholders where they saw automated tests as a waste of effort. Classic comment I heard repeatedly was "if you were a competent programmer your code wouldn't need tests".

    6 0 Reply
    1. JamesTGrant Bronze badge
      Reply Icon

      Totally fair point - but I’ve yet to meet a competent programmer, only human ones.

      9 0 Reply
      1. David 132 Silver badge
        Reply Icon
        Happy

        Someone really needs to come up with a language or framework named “Competent”, so that we get a lot more Competent Developers.

        9 0 Reply
        1. Joe W Silver badge
          Reply Icon
          Mushroom

          Programmers...

          There's a language Rock Star - so, while not being a Competent[tm] programmer you can totally be a Rock Star developer...

          1 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      You really can't have a "competent programmer" without management that actually knows what they are doing.

      0 2 Reply
  3. Anonymous Coward
    Anonymous Coward

    Hang on

    WTF is the web server running with privileges to magic uploaded code to secure locations.

    Let alone run it ?

    2 0 Reply
  4. CowHorseFrog Silver badge

    The real problem here is defaults. The concept of defaults is broken, someone else should not be deciding to turn something on because they want too, and basically everyone else has no clue of the consequences.

    0 3 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like