Important security update for Apache Struts

According to the Struts developers, the maximum threat level is "highly critical" for Apple Struts. Version 2.3.14.2 update of the Java framework fixes several high-risk vulnerabilities that allow attackers to inject code into the server, for example via specially crafted HTTP requests. The holes have been identified as CVE-2013-2115 and CVE-2013-1966.

Vulnerability details and a Proof of Concept (PoC) can be found via the advisory link above and on the Coverity blog. The previous version ( Struts 2.3.14.1 ) was supposed to close the holes, but the update failed to block all potential attacks. All versions prior to the new update are vulnerable. Anyone using it on their server should update immediately.

This is yet another OGNL-related problem for the Struts framework. Holes in the implementation of the expression language have previously been found, and closed, in January 2012, August 2010 and in November 2008.