Struts2从2.3.15.1升级到2.3.35相关配置说明,在附件中包含有2.3.15.1版本的jar包和2.3.35版本的jar包,以及升级过程中值得注意的事项 下载 公司老项目从 struts 2.3.16 升级 到2.3.34遇到的问题.
Security researchers have reviewed security advisories for Apache Struts and found that two dozen of them inaccurately listed affected versions for the open-source development framework.
The advisories have since been updated to reflect vulnerabilities in an additional 61 unique versions of Struts that were affected by at least one previously disclosed vulnerability but left off the security advisories for those vulnerabilities.
- Download JAR files for struts2-core-2.3.35 With dependencies Documentation Source code All Downloads are FREE. Search and download functionalities are using the official Maven repository.
- Some issues upgrade struts from 2.2.3 to 2.3.4. Dear folks, i have a portlet project which makes use of 2.2.3 for a year and currently prepare to upgrade to 2.3.4. However, a problem occurred after.
- Download JAR files for struts2-core-2.3.35 With dependencies Documentation Source code All Downloads are FREE. Search and download functionalities are using the official Maven repository.
- Security vulnerabilities of Apache Struts version 2.3.32 List of cve security vulnerabilities related to this exact version. You can filter results by cvss scores, years and months.
The extensive analysis was done by the Black Duck Security Research (BDSR) team of Synopsys’ Cybersecurity Research Center (CyRC), which investigated 115 distinct releases for Apache Struts and correlated those releases against 57 existing Apache Struts Security Advisories covering 64 vulnerabilities.
Synopsys’ Tim Mackey said in a blog post on Thursday that the danger isn’t that developers and users may have upgraded needlessly. Rather, the real danger is that needed updates may not have happened:
Struts 2.3.35 Vulnerability
While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment. Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.
Case in point: Equifax
Promptly patching security vulnerabilities in Apache Struts is a vital task: you can ask Equifax all about possible ramifications of failing to do so. Equifax blamed a nasty server-side remote code execution (RCE) bug (CVE-2017-5638) for the massive data breach of 2017. The patch had been available for months before the breach, it turned out, but Equifax hadn’t applied it.
Synopsys’ BDSR explored questions such as whether successful exploitation of the versions that got left out of previous security advisories would yield RCE or leave a system vulnerable to a denial-of-service (DoS) attack.
Powerful, business-grade protection at home.
Moderate risk, but still, update!
BDSR determined that the maximum security rating for the incorrectly listed version ranges of affected releases is moderate. The researchers disclosed the newly discovered affected versions to the Apache Struts team through responsible disclosure procedures.
Mackey pointed out that the Apache Struts team has announced that Struts 2.3 is nearing its end of life:
Users of Struts 2.3 should be actively developing and executing plans to migrate to Struts 2.5 in a prudent manner.
The recommendation: upgrade to Struts 2.3.35 or Struts 2.5.17.
Struts 2.5.17
Who to blame?
Download Struts 2.3.35 0
This is open-source. You can’t easily lay blame for a gaffe like this or figure out if you’ve correctly patched security issues in a given component, Mackey pointed out in his post:
Download Struts 2.3.35 Free
It’s well understood that security information for open source projects often operates quite differently than that of commercial software. This is in large part due to the community aspect of open source development wherein consumers of open source components download and use a component, often without the knowledge or awareness of the open source developers or leadership for the component. When it comes to security information, this anonymity presents a challenge for those wishing to ensure they’ve correctly patched any security defects in their environment.