×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Apache Struts Zero Day Not Fixed By Patch

samzenpus posted about 8 months ago | from the protect-ya-neck dept.

Security 15

Trailrunner7 (1100399) writes "The Apache Software Foundation released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts did not fully patch the bug in question. Officials said a new patch is in development and will be released likely within the next 72 hours, said Rene Gielen of the Apache Struts team. On March 2, a patch was made available for a ClassLoader vulnerability in Struts up to version 2.3.16.1. An attacker would be able to manipulate the ClassLoader via request parameters. Apache said the fix was insufficient to repair the vulnerability."

Sorry! There are no comments related to the filter you selected.

Of course, the warning is three days old (1)

Anonymous Coward | about 8 months ago | (#46852445)

So... the patch should be out any moment.

Re:Of course, the warning is three days old (0)

Anonymous Coward | about 8 months ago | (#46852551)

Not sure if to mod funny or insightful [apache.org] since "sarcastic" isn't an option...

Version 2.3.16.2 already out (0)

Anonymous Coward | about 8 months ago | (#46852555)

See http://struts.apache.org/announce.html

Still on 1.2 (2)

roman_mir (125474) | about 8 months ago | (#46852637)

Still on Struts 1.2, updating the source code myself to add various missing functionality (various missing attributes that really make the job much easier in many cases). It's amazing how much more life you can squeeze out of that framework simply by extending it.

All zero-day... (1)

Ksevio (865461) | about 8 months ago | (#46852799)

Isn't that the case for all zero-day exploits? If it were already patched then it wouldn't really fit the criteria.

Gee... (2)

ericloewe (2129490) | about 8 months ago | (#46852807)

Must they absolutely advertise their bugs before they're fixed? Nothing wrong with being open after it's been patched, but this is like "Hey, we tried to fix a bug and failed, so you can totally go check our non-fix to figure out how to exploit this!"

Good thing... (4, Insightful)

Bill_the_Engineer (772575) | about 8 months ago | (#46852847)

Apache struts announced another general availability release [apache.org] that has the fix on April 24th.

This is why you shouldn't read a blog post when the source material is just as easy to read.

Re:Good thing... (0)

Anonymous Coward | about 8 months ago | (#46854331)

But how else are these shitty bloggers going to drive up their page hits and revenue?

What? There is still an Apache Struts? (4, Funny)

hax4bux (209237) | about 8 months ago | (#46852875)

How about that?

Re: What? There is still an Apache Struts? (0)

Anonymous Coward | about 8 months ago | (#46853045)

Hahaha there we go. Best comment so far.

Re: What? There is still an Apache Struts? (0)

Anonymous Coward | about 8 months ago | (#46855099)

struts killed my love of programming. 20 years of loving my job disappeared into nowhere.

...which is? (5, Insightful)

CarsonChittom (2025388) | about 8 months ago | (#46853057)

Would it have killed the editor to say, "Apache Struts is an open source framework for Java web applications"? I had to look it up.

Why would they strut something like that? (1)

jeffb (2.718) (1189693) | about 8 months ago | (#46853345)

...never mind. </EmilyLitella>

People still use struts? (0)

Anonymous Coward | about 8 months ago | (#46854293)

People are still using struts?

I use it as one of my weedout questions when interviewing potential employers: "I see you're a struts shop, Nice talking with you, bye".

Still trying to decide if its a step up or down from Tibco, I think marginally a step up.

Re:People still use struts? (0)

Anonymous Coward | about 8 months ago | (#46857111)

These design decisions are usually bedded in older codebases that were designed around the MVC paradigm that Struts (and Spring MVC, and others) provide as a "simplification" layer over JSP and Servlets. And then people leaving their old employer to a new one, taking a functioning web application implementation with them, and why would they want to learn something new? These places still use Ant :p

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?