My security scanner says the Apache Struts library in Yellowfin is vulnerable!
September 27th, 2017
If you've arrived at this article, don't panic! Yellowfin's Apache Struts library is likely NOT as outdated as your security scanner makes it out to be!
NOTE: If you are running Yellowfin 7.1 or earlier, you are now running an end of life version and we recommend upgrading using our best practices as soon as possible.
Here at Yellowfin we take security disclosures seriously. Yellowfin is currently using the Apache Struts V. 1 framework. While this framework is officially EOL, it is still being maintained by the Fedora Core project. In addition to this, Yellowfin patches this library ourselves against any severe vulnerabilities that we find to affect Yellowfin.
You may notice that your vulnerability scan lists our Struts library as version 1.3.10. Yes, it's true that version 1.3.10 has a slue of vulnerabilities that can be leveraged against the library. If you drop down into the file system of our application, you may notice that the library is in actuality 220.127.116.11.fc, indicating that it has been patched at least 17 times since the original version. The fc appended to the version indicating that it's maintained by Fedora Core. These patches help us take mitigating actions against reported vulnerabilities as we find them.
Note that this library version has been pulled from our newest build of Yellowfin at the time of this writing, 20170908.
I urge those with concern to submit a support ticket listing any CVE's of particular concern involving Apache Struts. We will do our best to provide you an answer of whether it should be a concern, and why or why not. I will continue updating this article with CVE's brought to us against this library, along with a date and build number in which the vulnerability is patched, if deemed exploitable against our application.
Why don't you upgrade your application to Struts v. 2 or up?