Apache Struts 2 Struts 1 Plugin
A new Apache Struts vulnerability could allow a remote threat actor to execute code on an affected server. The vulnerability exists in an Apache Struts 1 plugin that allows developers to use Struts 1 Actions and ActionForms in Struts 2 web applications and affects servers running Struts versions 2.3.x. Successful exploitation of this vulnerability occurs when a threat actor sends a specially crafted request to the vulnerable server. The NJCCIC recommends all users and administrators of the affected Apache Struts plugin review both theApache Security Bulletin and Trend Micro’s analysis and, if possible, upgrade to the most current release of Apache Struts, version 2.5.x. If upgrading is not feasible, Apache advises to always use resource keys instead of passing a raw message to the ActionMessage.