Skip to main content

Apache urges upgrade of Apache Struts V2.3 and v2.5 due to potential vulnerability even when no additional plugins have been enabled.

Developers, organisations and companies are being urged to upgrade Apache Struts today to ensure critical infrastructure and customer data is not put at risk.

The new remote code execution vulnerability affects all supported versions of Apache Struts 2, Apache Software Foundation said. Apache Struts is a globally popular framework used for creating Java web applications. A patched version has been released today.

Struts applications are often facing the public internet, and what this means is that in most situations an attacker does not require any existing privileges to a vulnerable Struts application to launch an attack against it, Apache Software Foundation said.

‘Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17,’ Apache Software Foundation said. ‘All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled.’

Remote code execution vulnerabilities are commonly considered to be the most severe type of security issue, as they allow attackers to take control of a vulnerable system. This can provide a hacker with an entry point into corporate networks, and can put both infrastructure and data at risk.

The latest releases from Apache Software Foundation can be found here.