The Apache Software Foundation released version 184.108.40.206 of Apache Struts, the open-source framework for creating Java web applications, to address a Zero Day vulnerability. This is the second patch to fix the issue, the first one, issued in March, was just not a good patch.
It all started in March when the Apache Struts group released Struts 220.127.116.11, which supposedly fixed security issues: ClassLoader manipulation via request parameters, and an update to the Commons FileUpload library to prevent denial-of-service (DoS) attacks.
As it turns out, the fix for the ClassLoader manipulation was not very good and as a result, Struts 18.104.22.168 released.
Struts 22.214.171.124 comes with improved excluded parameters to avoid ClassLoader manipulation via ParametersInterceptor. Excluded parameters have also been added to CookieInterceptor to “avoid ClassLoader manipulation when the interceptors is configured to accept all cookie names (wildcard matching via ‘*).”
All Struts 2 users should update their installations as soon as possible, officials said. Before version 126.96.36.199 released, the Struts group published a method that could mitigate the attack. However, Struts officials recommend users install the latest variant rather than use the mitigation.
Additional details on the latest security update are available on the Struts website.