A severe vulnerability has been detected in Apache Struts 2 framework. The vulnerability allows for full remote code execution and is actively being exploited in the wild.
The UBC Cybersecurity team has been in contact with all known owners of applications relying on Apache Struts. If you are responsible for an application that uses the Struts framework and have not been contacted by us, please email Aaron Heck (firstname.lastname@example.org) immediately.
- Apache Struts 2.3 – Struts 2.3.34, Struts 2.5 – Struts 2.5.16
- Unsupported Struts versions (ie: all versions < 2.3) may also be affected
- Upgrade to Struts 2.3.35 or Struts 2.5.17
- Contact email@example.com if you have any questions
- Regularly check Apache Struts Security Bulletins (https://cwiki.apache.org/confluence/display/WW/Security+Bulletins)