The Apache Struts project has released the version 2.5.13. The new update fixes three critical vulnerabilities that have so far been existed for as long as nearly a decade.
Apache Software Foundation (ASF) has fixed the CVE-2017-9805 vulnerability that is known for Remote Code Execution (RCE) attack. The vulnerability was first reported by Man Yue Mo, the security researcher from lgtm.com, back in July. Interestingly, the issue not a recent one and has been impacted all versions of Apache Struts right from 2008.
The second patched vulnerability in the latest Apache Struts version is CVE-2017-9793, which can lead to a Denial-of-Service (DoS) attack. There was an outdated XStream library used by a REST plugin that can leverage the vulnerability by using a malicious request with crafted XML payload.
Lastly, the third important vulnerability patched in this update is identified as CVE-2017-9804. This vulnerability is discovered in the URLValidator component. The issue can lead to a Denial-of-Service attack.
While there are no reported attacks by leveraging fixed vulnerabilities, it is still important for users to update their installation of Apache Struts Java framework. Moreover, developers working on web projects and enterprise applications should take advantage of the latest version to secure their developments.