aspose file tools*
The moose likes Struts and the fly likes Struts 1 No Longer Supported - Security vulnerability confirmed - No fix Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts 1 No Longer Supported - Security vulnerability confirmed - No fix" Watch "Struts 1 No Longer Supported - Security vulnerability confirmed - No fix" New topic
Author

Struts 1 No Longer Supported - Security vulnerability confirmed - No fix

Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8867
    
    8

The Apache Struts Project Team would like to inform you that the Struts 1.x web framework has reached its end of life and is no longer officially supported.

Started in 2000, Struts 1 had its last release - version 1.3.10 - in December 2008. In the meantime the Struts community has focused on pushing the Struts 2 framework forward, with as many as 23 releases as of April 2013. Taking this into account, announcing Struts 1 EOL is just the official statement that we have been lacking volunteer support for some time now and that users should not rely on a properly maintained framework state when utilizing Struts 1 in projects.

Read More Here

On Tue, 29 Apr 2014, the Struts developers confirmed that Struts is vulnerable to a class loader exploit:
The Apache Struts project team confirms that Struts 1 in all versions is
affected by a ClassLoader manipulation vulnerability similar to a
recently fixed vulnerability in Struts 2 (CVE-2014-0112, CVE-2014-0094) [1].

See here

There is currently no fix.


"blabbing like a narcissistic fool with a superiority complex" ~ N.A.
[How To Ask Questions On JavaRanch]
Yogesh Lonkar
Ranch Hand

Joined: Jul 17, 2012
Posts: 94

Good to hear it as More attention will be given to Struts 2


Learning some thing New Every Day
Souvvik Basu
Ranch Hand

Joined: Apr 05, 2010
Posts: 96
ohh....does that mean we will not see many new projects being written on Struts 1.x from now on?

Just curious to know the opinion of other ranchers on this.

Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8867
    
    8

Souvvik Basu wrote:ohh....does that mean we will not see many new projects being written on Struts 1.x from now on?


Struts 1.x was useful when it was the only game in town, but it has serious architectural flaws. There is absolutely no reason to use Struts 1.x when more productive frameworks (Struts 2, Spring, Wicket, Stripes, etc.) have been available for years.
Souvvik Basu
Ranch Hand

Joined: Apr 05, 2010
Posts: 96
Hi Joe,
It confuses me when I see people referring to Struts 2 as being a better alternative to Struts 1. Around 7-8 months back, I spoke to a couple of my seniors in the IT field (each with atleast 6+ years experience). All said that according to what they have seen in different projects, Struts 2 hasn't really caught up, and Struts 1.x is still by far the more popular option in Struts. They, ofcourse, agreed that Spring is better than either of Struts 1.x or 2.x

Just to clarify again...I am just interested to know people's opinion. Because this formal announcement did come as a little surprise to me. While its true that 1.x didnt have any releases post late december, a formal burial surprises me (given the feedback I got about its popularity and usefulness). So I just wanted to keep myself updated correctly on the trends.
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8867
    
    8

Souvvik Basu wrote: Struts 2 hasn't really caught up, and Struts 1.x is still by far the more popular option in Struts.


If they are just talking numbers, Struts 1.x was the only game in town for several years, so it is unlikely that any single framework will get the numbers that it racked up. That said, it has several problems (form beans, Action classes must extend a class) that make developing with it extremely painful compared to modern frameworks. I would question the sanity of anyone who would pick Struts 1.x over Struts 2.x, even before the EOL announcement.

Souvvik Basu wrote:
1.x didnt have any releases post late december,


Struts 1.x hasn't had a release since December, 2008.
karthick meyyappan
Ranch Hand

Joined: Jul 29, 2011
Posts: 43

It confuses me when I see people referring to Struts 2 as being a better alternative to Struts 1. Around 7-8 months back, I spoke to a couple of my seniors in the IT field (each with atleast 6+ years experience). All said that according to what they have seen in different projects, Struts 2 hasn't really caught up, and Struts 1.x is still by far the more popular option in Struts. They, ofcourse, agreed that Spring is better than either of Struts 1.x or 2.x

i really stick with highlights of Souvvik Basu. here also like that of same....
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10048
    
163

sekhar kiran,
Your post was moved to a new topic.


[My Blog] [JavaRanch Journal]
Ananth Chellathurai
Ranch Hand

Joined: Nov 21, 2007
Posts: 349

I have used it in many of my projects, I am wondering if the existing projects would be migrated to Struts 2 or some other frameworks will win over.


Ananth Chellathurai [Walk on software]
 
Consider Paul's rocket mass heater.
 
subject: Struts 1 No Longer Supported - Security vulnerability confirmed - No fix