Apache Struts, a pioneering open source project has been set ablaze for issuing misleading security advisories that may have placed unnecessary danger to users of its software.
Security vendor Synopsys analyzed 115 separate releases for popular web application framework Apache Struts and matched them up against the relevant advisories from the open source project.
In total, 24 of the 57 Apache Struts security advisories – nearly half – made mistakes when listing the versions of the framework that were impacted by vulnerabilities.
In fact, 61 additional versions of Struts were impacted by at least one previously disclosed vulnerability, potentially exposing users to attack.
“While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missing in the original assessment,” Synopsys argued.
“Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.”
On the plus side, the Apache Software Foundation and Apache Struts team were praised for their “diligence” in collaborating with Synopsys on fixing the mistakes. An updated Apache Struts Security Advisories page was published earlier this week.
Apache Struts will be known to many as the web app framework which Equifax failed to patch back in 2017, leading to a major breach of personal and financial information on more than half of all Americans and millions of United Kingdom consumers.
That incident of issuing misleading security advisories already has cost the credit agency in excess of $1BN, as well as the jobs of the CEO and other senior executives.