Apache Struts

Apache Struts 2.5.15 release, security fix


Apache Struts 2.5.15 has been released. Struts, an open source project sponsored by the Apache Software Foundation (ASF), was originally a subproject of the Jakarta project that became ASF’s premier project in March 2004. By adopting Java Servlet / JSP technology, it realizes the application framework of MVC design pattern based on Java EE Web application and is a classic product in MVC classic design pattern.

Note that the JSONWriter class in this release is converted to the default implementation of the DefaultJSONWriter class. If you are using this class directly, you must update the code to avoid situations where it can not be compiled.

This release contains fixes for the following potential security vulnerabilities:

  • S2-054 A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin
  • S2-055 Vulnerability in the Jackson JSON library

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket

  • WW-4915 Replace deprecated commons-lang3 classes
  • WW-4910 Align OptGroup with Select
  • WW-4874 Introduces Async plugin (adds support for async methods)
  • WW-4875 Add ability to use Java based configuration


Leave a Reply

Your email address will not be published. Required fields are marked *