Win a copy of JDBC Workbook this week in the JDBC and Relational Databases forum
or A Day in Code in the A Day in Code forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Frits Walraven
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • salvin francis
  • fred rosenberger

Yet again: All Struts versions highly vulnerable - upgrade now

 
Saloon Keeper
Posts: 6441
158
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The Register has the story, and Apache has also weighed in. This affects all versions prior to 2.3.35 and 2.5.17. Given what happened to Equifax last year, all should upgrade ASAP. Choice quote from The Reg article: "My one takeaway, not a joke - stop using Apache Struts."
 
Bartender
Posts: 9612
16
Mac OS X Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I seem to recall that the Equifax breach wasn't a problem with Struts per se, but one of the Apache libraries it depends on (S2-045 or S2-046 perhaps?).  But yea, Apache seems to have some quality/security problems.
Seeing as how people are still posting on this forum for Struts 1.x support, it really concerns me that there are some applications out there that aren't being kept up to day.  I'm sure we'll see some more exploits like Equifax in the future.  
 
Tim Moores
Saloon Keeper
Posts: 6441
158
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
True. I wonder if using Struts 1.x (or similar unpatched and obsolete tools) at this point in a publicly accessible web app would count as "criminal negligence" in a court of law.
 
Liar, liar, pants on fire! refreshing plug:
Devious Experiments for a Truly Passive Greenhouse!
https://www.kickstarter.com/projects/paulwheaton/greenhouse-1
    Bookmark Topic Watch Topic
  • New Topic