The Register has the story, and Apache has also weighed in. This affects all versions prior to 2.3.35 and 2.5.17. Given what happened to Equifax last year, all should upgrade ASAP. Choice quote from The Reg article: "My one takeaway, not a joke - stop using Apache Struts."
I seem to recall that the Equifax breach wasn't a problem with Struts per se, but one of the Apache libraries it depends on (S2-045 or S2-046 perhaps?). But yea, Apache seems to have some quality/security problems.
Seeing as how people are still posting on this forum for Struts 1.x support, it really concerns me that there are some applications out there that aren't being kept up to day. I'm sure we'll see some more exploits like Equifax in the future.