What kind of vulnerabilities the web application will face if it is not upgraded to Struts 2.3.16.1?

Question

We have projects using Struts 2.0 and 2.1.

We're using web-hosting with Tomcat and both projects are working fine on remote servers. Recently, we got warning message from the webhosting provider, like:

This notice is inform you that recently numerous vulnerabilities have been discovered related to Struts and Struts 2 frameworks and other frameworks which use OGNL classes.

Since your application is using Struts or Struts 2 framework, we highly recommend that you urgently update it to the most recent version: Struts v2.3.16.1

After research, we found there're consistent upgrades: Announcements-2014.

Therefore, we tried to upgrade our Struts to 2.3.16.3 (latest version at present). However, we found it's not a trivial task to upgrade Struts 2, since everything doesn't work, including AJAX tags, AJAX form submition, auto-complete, etc. In this sense, Struts 2 is not well designed for scalability.

One example is, that whenever we submit our AJAX form, the result will be in a new page instead of in the targets field defined in the <sx:submit> or <sj:submit> tags. We don't want to re-write all the codes just because of the upgrade.

We want to know if we don't upgrade Struts 2 to the latest version, what kind of vulnerabilities our web application will face? Could anyone give us more details or any hint for solutions based on our situation?

Answer 1

One example is that whenever we submit our ajax form, the result will be in a new page instead of in the targets field defined in the sx:submit or sj:submit tag.

It seems you are using struts2 and struts 2 jquery plugin, so try to update to struts 2 jquery 3.7.0 too.

I recommend to accept some reworks and upgrade as some security issues are high.

There are some key parts which has changed and may need to be considered during upgrade like acceptableParameterName. Also review your param interceptor stack and list of exclude parameters.

Answer 2

You are probably looking for Security Bulletins. Each documents describe the summary, problem, and solution to resolve the problem. At the end of each document you can find hotfixes if they are available.