MVC Framework Guidance

Characteristic Description

Entities with this label display content suggesting their web applications use an implementation of the model view controller (MVC) architecture. MVC frameworks like Apache Struts (https://struts.apache.org/) and Spring (https://spring.io/) have had widely publicized, high impact vulnerabilities that affected a range of applications built upon them. While specific framework and version could not be detected, expect attackers to use any reliable exploits in their possession based on their possibility of weakness.

Recommendation

Configure

Implement any security related configuration advice offered by vendors where possible. For in house developed applications, place more emphasis on following secure coding practices.

Other Options

Control

Web application firewalls are effective tools for mitigating attacks against MVC frameworks. The closer application security policies are to default deny the better insulated systems will be against new threats. Having the means to block new attack patterns in the future is a better capability to have than no protection at all.

Accept

In some cases, there will be no other option but to accept the presence of MVC frameworks, particularly on third party products running software outside of our direct control. Reviewing third party notices from vendors for MVC frameworks can provide more information. Having these cases documented ahead of the announcement of new attacks will make it easier to prioritize the systems for patches or isolation when necessary.

Related Incidents

• https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/

• https://www.cisa.gov/news-events/alerts/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and-spring