Network Security, Vulnerability Management

Updates address vulnerabilities in Apache Struts versions 2.5 to 2.5.14

A pair of security updates released by the Apache Software Foundation patch vulnerabilities in Apache Struts versions 2.5 to 2.5.14 that would let a remote attacker take control of a system, according to a US-CERT alert.

The Apache Security Bulletin S2-054 resolves a outdated JSON-lib library in the REST Plugin, which would let miscreants execute denial of service (DoS) attacks “using malicious request with specially crafted JSON payload.”

The organization advised administrators to upgrade to Apache Struts 2.5.14.1 or use the Jackson handler rather than the default JSON-lib handler.

Apache Security Bulletin S2-055 patches a Jackson Deserializer in the Jackson JSON library. Administrators should upgrade to Apache Struts 2.5.14.1 or manually upgrade Jackson dependencies in a project to versions that are not vulnerable. 

Earlier in the fall it was revealed that Equifax twice missed a vulnerability in Apache Struts responsible for a breach that affected 145.5 million U.S. consumers.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds