While this might be a popular feature, It's pretty well handled by the Struts team IMHO and I hardly can think what else we can do about it.
I only found one really small thing that could be corrected - In the CVE announcement (and other bulletins) here https://cwiki.apache.org/confluence/display/WW/S2-066, the 2.5 is not marked as EOL (but it is EOL in fact already and well announced). That one small thing might be misleading a bit for someone who looks at the security bulletin so might be worth updating the bulletins Łukasz - maybe you can update those bulletins ? It's a critical one, yes, and easy to exploit from what I can say (it has 9.5 critical rating on the scale of 10). And seems that any application that used file upload before struts 6.4 must be converted to the new mechanism. So this one is not as easy as "upgrade to new version" - it's "upgrade to new version and modify your application to use the new mechanism" - which I guess is why people are stirred by it. But - coming from outside, the links, explanation, and all the documentation about it provided by struts team is pretty clear about it, severity is well assigned, there is a very clear migration path - and I do not think the update is "complex". It's costly, yes if you are using a Struts version that is EOL for 7 months, but this is precisely something that our users have to learn - that when we properly announce EOL, they have to bear all the costs connected. One thing that could be - potentially - problematic is that there is no fix or workaround available for struts prior to 6.4.0 - which is relatively new release (24 April 2024) - and - as far as I understand, anyone who used the interceptor before - which I think was necessary/useful to gather meta-data about the uploaded file - has to migrate to 6.4.0 at least. But this is not a major release, feature only so should be fine. Struts follow Semantic Versioning so upgrading to 6.4.0 should be "easy" (which directly follows CRA guidelines on which versions should be patched as far as I understand them). The Struts team did everything right IMHO. There was an announcement made in October 2023 that Struts 2.5 will reach EOL and that everyone should migrate to Struts 6. https://struts.apache.org/struts25-eol-announcement, it's publicly announced here https://struts.apache.org/ in a very prominent place the EOL database https://endoflife.date/apache-struts shows correctly that 2.5 reached EOL already accordingly. I don't think there is any "noise". Also when you announce a critical vulnerability, it should never be considered as a "noise". This is what announcements are for, and this one is almost as critical as it can get. I think - to be perfectly blunt - IMHO neither we, nor Struts should release any extra statements that could be interpreted as "we have not already done enough". We (Struts team particularly) did everything right, made all the necessary announcements, had very clear explanations and followed all the best practices as far as I can see. If someone still clearly EOL version of struts 7 months after release, they have to learn to do better, not us. Making extra statements from us will be somewhat stating "The standard processes and best practices are not enough" and it might be a precedent that in the future those who are not following the announcements and advisories will expect us to do "more". I think that would be a dangerous precedent. If anything, maybe Dirk - you should forward this analysis (if my short investigation findings are confirmed as correct by Łukasz and Struts team) to your customers and tell them "you are not wary enough - learn from that". But - of course that's just my opinion :). I think there is a limit to being helpful and proactive - and we (and Struts team) did all the right things there - and sometimes learning by falling into a trap that you put on yourself is the best way to improve. J. On Wed, Dec 18, 2024 at 9:22 PM Dirk-Willem van Gulik <di...@webweaving.org> wrote: > Quite a few of my customers appear to be taken off guard / have missed the > significance of > > https://nvd.nist.gov/vuln/detail/CVE-2024-53677 > > even those that are normally quite awake at the help. So I am wondering if > we need to do something a bit more pro-active ? > > Like a blog post or have the PR folks prepare something - i.e. more than > just the normal struts announce noise. > > Any thoughts anyone ? Or not a universal thing ? And I happened to live in > a statistical cul de sac ? > > Dw. > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
