A pair of security updates released by the Apache Software Foundation patch vulnerabilities in Apache Struts versions 2.5 to 2.5.14 that would let a remote attacker take control of a system, according to a US-CERT alert.
The Apache Security Bulletin S2-054 resolves a outdated JSON-lib library in the REST Plugin, which would let miscreants execute denial of service (DoS) attacks “using malicious request with specially crafted JSON payload.”
The organization advised administrators to upgrade to Apache Struts 2.5.14.1 or use the Jackson handler rather than the default JSON-lib handler.
Apache Security Bulletin S2-055 patches a Jackson Deserializer in the Jackson JSON library. Administrators should upgrade to Apache Struts 2.5.14.1 or manually upgrade Jackson dependencies in a project to versions that are not vulnerable.
Earlier in the fall it was revealed that Equifax twice missed a vulnerability in Apache Struts responsible for a breach that affected 145.5 million U.S. consumers.