Apache Struts update closes critical holes
The Apache Struts developers have released version 2.3.1.1 of their open source framework for Java-based web applications. The update closes critical holes in Struts 2, fixing four old and well known security vulnerabilities that could be exploited by an attacker to circumvent restrictions by using dynamic method invocation (DMI) to inject and execute malicious Java code.
Versions 2.1.0 to 2.3.1 of Struts are affected; upgrading to 2.3.1.1 corrects the issues. Alternatively, the security advisory provides instructions for changing a configuration file which mitigates the problem. Further information about the update can be found in the version notes and the project's security advisory. Struts 2.3.1.1 is available to download from the project's site.
See also:
- Multiple critical vulnerabilities in Struts 2, an Apache security advisory.
(crve)