Win a copy of Production-Ready Serverless (Operational Best Practices) this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Stephan van Hulst
  • Ron McLeod
  • Tim Moores
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Vijitha Kumara

Yet again: All Struts versions highly vulnerable - upgrade now  RSS feed

 
Saloon Keeper
Posts: 5326
143
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The Register has the story, and Apache has also weighed in. This affects all versions prior to 2.3.35 and 2.5.17. Given what happened to Equifax last year, all should upgrade ASAP. Choice quote from The Reg article: "My one takeaway, not a joke - stop using Apache Struts."
 
Bartender
Posts: 9558
12
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I seem to recall that the Equifax breach wasn't a problem with Struts per se, but one of the Apache libraries it depends on (S2-045 or S2-046 perhaps?).  But yea, Apache seems to have some quality/security problems.
Seeing as how people are still posting on this forum for Struts 1.x support, it really concerns me that there are some applications out there that aren't being kept up to day.  I'm sure we'll see some more exploits like Equifax in the future.  
 
Tim Moores
Saloon Keeper
Posts: 5326
143
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
True. I wonder if using Struts 1.x (or similar unpatched and obsolete tools) at this point in a publicly accessible web app would count as "criminal negligence" in a court of law.
 
We should throw him a surprise party. It will cheer him up. We can use this tiny ad:
global solutions you can do at home or in your backyard
https://www.kickstarter.com/projects/paulwheaton/better-world-boo
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!