As an update to our September 7th blog post on the Apache struts vulnerability, please be advised that Equifax has stated in their September 13th Progress Update for Consumers regarding their recent massive cybersecurity breach, “[t]he vulnerability was Apache Struts CVE-2017-5638”.
It is critical to ensure that all Apache instances/platforms are secure. Please be reminded of the following recommendations:
Fix: It is recommended that you upgrade to Struts 2.5.13 or Struts 2.3.34. Downloads can be found on the Apache Struts Releases webpage.
Alternatives to upgrading: No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only as outlined here: https://struts.apache.org/docs/s2-052.html
If you use Red Hat (for Linux), you can find information here: https://access.redhat.com/security/cve/cve-2017-9805