14 DAY TRIAL // Last week, The Apache Software Foundation released version 2.3.16.2 of Apache Struts, the open-source framework for creating Java web applications, to address a zero-day vulnerability. The issue should have been patched since early March.
In March, the Apache Struts group announced Struts 2.3.16.1, which fixed a couple of security issues: ClassLoader manipulation via request parameters, and an update to the Commons FileUpload library to prevent denial-of-service (DOS) attacks.
It turns out that the fix for the ClassLoader manipulation issue wasn’t efficient. As a result, Struts 2.3.16.2 has been released.
Struts 2.3.16.2 comes with improved excluded parameters to avoid ClassLoader manipulation via ParametersInterceptor. Excluded parameters have also been added to CookieInterceptor to “avoid ClassLoader manipulation when the interceptors is configured to accept all cookie names (wildcard matching via ‘*).”
All Struts 2 users are advised to update their installations as soon as possible. Before version 2.3.16.2 was released, the Struts group published a method that could be used to mitigate the attack. However, it’s recommended that customers install the latest variant rather than use the mitigation.
You can download Apache Struts, the latest version, from Softpedia’s Scripts section. Additional details on the latest security update are available on the Struts website.