Apache Struts update closes critical holes
The Apache Struts developers have released version 126.96.36.199 of their open source framework for Java-based web applications. The update closes critical holes in Struts 2, fixing four old and well known security vulnerabilities that could be exploited by an attacker to circumvent restrictions by using dynamic method invocation (DMI) to inject and execute malicious Java code.
Versions 2.1.0 to 2.3.1 of Struts are affected; upgrading to 188.8.131.52 corrects the issues. Alternatively, the security advisory provides instructions for changing a configuration file which mitigates the problem. Further information about the update can be found in the version notes and the project's security advisory. Struts 184.108.40.206 is available to download from the project's site.
- Multiple critical vulnerabilities in Struts 2, an Apache security advisory.