My security scanner says the Apache Struts library in Yellowfin is vulnerable!
UPDATE - March 11th, 2020: As of Yellowfin 8.0.4 and higher, we have moved frameworks from Struts to Spring.
September 27th, 2017
If you've arrived at this article, don't panic! Yellowfin's Apache Struts library is likely NOT as outdated as your security scanner makes it out to be!
NOTE: If you are running Yellowfin 8 or earlier, you are now running an end of life version and we recommend upgrading using our best practices as soon as possible.
Here at Yellowfin we take security disclosures seriously. Yellowfin is currently using the Apache Struts V. 1 framework. While this framework is officially EOL, it is still being maintained by the Fedora Core project. In addition to this, Yellowfin patches this library ourselves against any severe vulnerabilities that we find to affect Yellowfin.
You may notice that your vulnerability scan lists our Struts library as version 1.3.10. Yes, it's true that version 1.3.10 has a number of vulnerabilities that can be leveraged against the library. If you drop down into the file system of our application, you may notice that the library is in actuality 1.3.10.17.fc, indicating that it has been patched at least 17 times since the original version. The fc appended to the version indicating that it's maintained by Fedora Core. These patches help us take mitigating actions against reported vulnerabilities as we find them.
Note that this library version has been pulled from our newest build of Yellowfin at the time of this writing, 20170908.
I urge those with concern to submit a support ticket listing any CVE's of particular concern involving Apache Struts. We will do our best to provide you an answer of whether it should be a concern, and why or why not. I will continue updating this article with CVE's brought to us against this library, along with a date and build number in which the vulnerability is patched, if deemed exploitable against our application.
Why don't you upgrade your application to Struts v. 2 or up?
Struts has not been updated to version 2 because of an internal architecture change with a migration to a more JavaScript based user-interface layer. This migration began several years ago and is a key focus for our product roadmap. Our plan is to remove struts entirely from Yellowfin as soon as possible but aligned to our product roadmap. Struts provides functionality for several different components within Yellowfin such as forwarding, form population, and internationalization. Some functions are now redundant but the remaining components are likely to be replaced independently, most likely with custom code and a restful library.
Reviewed and Tested Vulnerabilities
Ryan.