A leading open source project has come under fire for issuing misleading security advisories which may have put customers of its software at unnecessary risk.
Security vendor Synopsys analyzed 115 separate releases for popular web application framework Apache Struts and matched them up against the relevant advisories from the open source project.
In total, 24 of the 57 Apache Struts security advisories – nearly half – made mistakes when listing the versions of the framework that were impacted by vulnerabilities.
In fact, 61 additional versions of Apache Struts were impacted by at least one previously disclosed vulnerability, potentially exposing users to attack.
“While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment,” Synopsys argued.
“Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.”
On the plus side, the Apache Software Foundation and Apache Struts team were praised for their “diligence” in collaborating with Synopsys on fixing the mistakes. An updated Apache Struts Security Advisories page was published earlier this week.
Apache Struts will be known to many as the web app framework which Equifax failed to patch back in 2017, leading to a major breach of personal and financial information on more than half of all Americans and millions of UK consumers.
That incident has already cost the credit agency in excess of $1bn, as well as the jobs of the CEO and other senior executives.