back to article Apache Struts 2 needs patching, without delay. It's under attack now

Infosec researchers have found a “dire” zero-day in Apache Struts 2, and it's under active attack. If you're a sysadmin using the Jakarta-based file upload Multipart parser under Apache Struts 2, Nick Biasini of Cisco's Talos advises applying the latest upgrade immediately. CVE-2017-5638 is documented at Rapid7's Metasploit …

  1. Anonymous Coward
    Anonymous Coward

    Apache what?

    Maybe it's just me, but when I read "Apache vulnerability" without any further qualification as to which part of the Apache Foundations gazillion apps is meant, I tend to assume it's the plain old HTTPD.

    Turns out, it's not. It's Apache Struts Jakarta, not the trusty web server.

  2. Alistair

    @ AC - if you have a default tomcat install, Jakarta struts is very likely in there. Pops up on *all* our tomcat installs.

    Fortunately, all are internal and hidden behind......

    apache httpd reverse proxies.

    1. Anonymous Coward
      Anonymous Coward

      I've just downloaded the .tar.gz of the current release of Tomcat from the Apache project, and it doesn't contain Struts. Are you sure you're not confusing things with what a Linux distribution installs alongside a bundled version of Tomcat?

  3. Alistair


    I'll agree its likely a packaging issue - but it seems to be consistent across our platforms (HPUX AIX and linux, although not so consistent on windows) - Sadly, we don't seem to have anything relevant on solaris.

    I've a system that was an under the desk dev box, hand built by someone, and even that tomcat has struts ...

    Its a rather large environment and it seems that where we have tomcat, we have struts. I'm working on the 'is it actually used' tests'.

  4. Anonymous Coward
    Anonymous Coward

    Wish I'd seen this article in March :(

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021