14 DAY TRIAL // Users are strongly recommended to update their Struts installations to version 2.3.15 since the new variant addresses two security holes.
One of the issues is related to the Dynamic Method Invocation mechanism. Up until now, the mechanism was enabled by default, but users were advised to disable it if they could due to possible security vulnerabilities. In Struts 2.3.15.2, Dynamic Method Invocation has been disabled by default.
The second issue refers to a broken access control vulnerability that can be exploited to bypass security constraints under certain conditions. The Struts 2 action mapping mechanism has been changed to fix this flaw.
Additional details on this vulnerability will be made available after the patch is widely deployed.
The best way to address the security holes is to update Struts. However, in both cases, workarounds have been provided.