Oct 3, 2017

Good Advice from the Apache Struts Team on keeping your Servers Patched

If you have been tracking the recent Equifax breach, it should remind all IT professionals to always have someone dedicated to keeping servers properly updated. 

I found this article and I thought the below advice from the Apache Struts team applies to any J2EE server.  It seems to apply to any publicly accessible Web or Application server product.

Please note that ColdFusion does NOT use any portion of Apache Struts.

The below advice can be found inside the complete article.here:

Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:

1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.

2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources. 

5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.

Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.
For the Apache Struts Project Management Committee,

René Gielen
Vice President, Apache Struts 


  1. Hi, Mike. Thanks for the post and the reference to the other resource. That said, you say near the top, "Please note that ColdFusion does use any portion of Apache Struts", and I think you were meaning to say it "does NOT use" Struts, right? Keep up the good work.

  2. Thanks - I swear I fixed that. Must of not saved it a few weeks ago. Thanks for catching. I had some customers asking me if CF used Struts as well.

  3. Glad to help. Thanks for the confirmation. Will we see you at CF Summit this year?

  4. Yes. Speaking as well. Rebuilding \ Refreshing my Scaling ColdFusion talk from 2015.

  5. Oh, great. To be clear, I had looked before asking. You're not listed at https://cfsummit.adobeevents.com/speakers/ or on the agenda days at https://cfsummit.adobeevents.com/agenda/. Are you perhaps tag-teaming with someone and they only listed one of you? That would seem a shame. Anyway, see you there!

    1. Title: Scaling Your ColdFusion Applications

      Desc: How many instances, servers or containers do you really need? What happens when an instance goes down? In this session we will look at performance metrics to accurately know an optimal number of servers as well session management strategies to increase your uptime and improve your end-users overall experience. Session topics will include: Using Local and Remote Web Servers, Load Balancing (Hardware and Software based), Tomcat Connector Features, Understanding ColdFusion Clustering, Using Docker Containers and Orchestration, Using Session Management Strategies, API Based Applications, Load Testing Applications and Security and Monitoring. We will have several demonstrations along the way.

  6. No teaming - Elishia had me tentative until she completed the schedule recently - she had some slots to fill.

  7. Right, there are still some timeslots that list only 3 sessions instead of 4. I assume you'll be slotted in there (I hope not against mine. I'd love to see your talk!) Until then.