Network Security, Vulnerability Management

Updates address vulnerabilities in Apache Struts versions 2.5 to 2.5.14

A pair of security updates released by the Apache Software Foundation patch vulnerabilities in Apache Struts versions 2.5 to 2.5.14 that would let a remote attacker take control of a system, according to a US-CERT alert.

The Apache Security Bulletin S2-054 resolves a outdated JSON-lib library in the REST Plugin, which would let miscreants execute denial of service (DoS) attacks “using malicious request with specially crafted JSON payload.”

The organization advised administrators to upgrade to Apache Struts or use the Jackson handler rather than the default JSON-lib handler.

Apache Security Bulletin S2-055 patches a Jackson Deserializer in the Jackson JSON library. Administrators should upgrade to Apache Struts or manually upgrade Jackson dependencies in a project to versions that are not vulnerable. 

Earlier in the fall it was revealed that Equifax twice missed a vulnerability in Apache Struts responsible for a breach that affected 145.5 million U.S. consumers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.