[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: [OT] Dealing with an insecure Struts application on Tomcat
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2023-10-19 21:08:25
Message-ID: 5d584c1a-37c5-4807-a3b8-67b293a55356 () christopherschultz ! net
[Download RAW message or body]

Alan,

On 10/19/23 12:44, Alan F wrote:
> I am looking at security steps to mitigate issues with a 1.x Struts based app.

Is this from a "Struts 1 is vulnerable" perspective? Because -- on paper 
-- it is. Vulnerable that is. But that doesn't necessarily mean that 
your application is vulnerable. I encourage you to read the CVEs 
associated with Struts 1 to see if they apply to you.

> I have recommended the following until an upgrade resource is available
> 
> Remove application from current shared datasource
> Remediate high risk CVE scored vulnerabilities (x4 with high EPSS rating)
> Reduce exposure to internal audience.
> Create new db and instance for above isolated datasource
> 
> Would you take it further and ensure this runs on it's own separate Tomcat instance?
> Any other recommendations?

This depends upon what your threat model is. If the application seems 
like it's vulnerable, then isolating it from other applications may make 
some sense. But if your primary concern is access to the underlying 
data, then isolating the application won't protect the data.

I'm not sure what you mean by "shared data source". If you have a 
server-defined data source that is being shared by individual 
applications, then you probably just shouldn't be doing that in general.

Note that upgrading from Struts 1 to Struts 2 will probably require a 
complete rewrite of your application. :/

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]