Last year, an unpatched Apache Struts vulnerability was the foundation of a significant data breach that forced Apache Struts into the spotlight. This vulnerability, CVE-2017-5638, emphasized the impending risks for Apache Struts-based applications.
Although this data breach was revealed to the public near the end of 2017, the vulnerability itself had been disclosed by the vendor and the National Vulnerability Database several months earlier. RiskSense researchers uncovered an applicable exploit for the vulnerability and was able to prioritize this vulnerability for our clients within sixteen days of exploit discovery. Not everyone was so lucky.
RiskSense’s vulnerability prioritization process is supported by weaponization pattern mining and exploitability analysis. This type of pattern analysis allowed us to predict vulnerability exploitability and use this information to prioritize vulnerabilities for remediation.
We presented these findings and observations on vulnerability weaponization and related exploit patterns for Apache Struts vulnerabilities in our Apache Struts Spotlight Report. In this spotlight report, we analyze Apache Struts-related vulnerability weaponization patterns spanning the last decade. We also provide additional insight into exploit patterns and explain how these patterns can define an organization's risk management strategy.
You can find our Apache Struts Spotlight Report here.