Why I support the university's business system abandon Apache STRUTS2 Framework (iii)

Notice of a Guangdong University (Sun Yat-sen University) announced at the beginning of the month: Notice to stop using the Apache STRUTS2 Development Framework

In view of the S2 loopholes and the difficulty of maintenance, in order to prevent the control network security risk, the new Informatization project should not use S2.

The S2 Information System (Web site) should be switched to other, more secure MVC frameworks (such as spring MVC) as soon as possible, and from now on, using S2 's Information System (website) will only be accessible within the campus network.

As an information security enthusiast, the decision of the individual to the school is supported by both hands, and the Struts 2 framework seems inherently flawed in terms of security, and the problem is that it is too much in comparison with similar open source projects. Here are the reasons for my personal support:

Third, operation and maintenance costs

The Struts 2 framework belongs to the underlying core of Web applications, and patch update upgrades are not as simple as replacing files directly, and need to consider whether they affect the functionality of the site application;

In addition, patch updates need to stop the service every time, causing business disruption. We take the timeline timeline of the 2017-year Struts 2 high-risk remote code execution vulnerability as an example:

March 7, 2017, s2-045 remote code execution, you need to stop updating patches;

March 20, 2017 s2-046 remote code execution, you have to evaluate patching;

July 7, 2017 s2-048 Remote code execution, you have to evaluate patching;

In the first half because of Struts 2 vulnerability, you have been down maintenance three times, not to mention before the application system patching has been found that the application system is exploited intrusion, need to deal with emergency.

The second half is actually not easy:

September 5 Apache STRUTS2 official release Serious vulnerability: STRUTS2 s2-052 Remote Code execution vulnerability, you need to stop updating patches;

September 7 Apache Struts2 official re-explosion Rce vulnerability: STRUTS2 s2-053 Remote Code execution vulnerability, you need to stop updating patches;

Perhaps you are accustomed to Struts2 this outbreak of vulnerability, but do not know if you find that the 2017-year Struts2 rce loophole is usually in pairs appear in the month,
For example, the March Remote Code execution Vulnerability: s2-045, s2-046, perhaps the vulnerability publisher felt that the two bursts of the month, can bring to the public pleasure will be lasting some,

Perhaps there will be three bursts, four bursts, bao you do not, do not ...

Users of a business system still running in the Struts 2 framework in universities need the following capabilities:

If you do not have bat's technical strength, then you need an iron-like heart, and energetic, able to withstand the early morning to break the net or update patches;

Also glib, there are various reasons to be able to explain to the leadership of the production environment frequent downtime maintenance;

Finally also have the courage to bear, in the occurrence of bad data leaks and reactionary tampering, to be able to actively jump out of the pot for the leadership back.

If you do not have this ability, then you should consider abandoning the Struts 2 framework application system,

In fact, the solution to the above worries is simple: in the initial stage of new product construction, product selection research phase, you only need to ask "will your company's product development has not used struts 2?" ”

Why I support the university's business system abandon Apache STRUTS2 Framework (iii)