The Apache Struts Security Team would like to announce that a number of historic Struts Security Bulletins [1] and related CVE database entries contained incorrect affected release version ranges.
The issue was reported by Christopher Fearon and the Black Duck Research Team within the Synopsys Cybersecurity Research Center. The reporting entity conducted thorough investigations on this matter, leading to a report to the Apache Struts Security Team. The Apache Struts Security Team worked with the reporters to cross-check said issues and map them to affected Apache Struts General Availability (GA) releases. This effort led to the issue of Struts Security Bulletin S2-058, referencing 15 historic Struts Security Bulletins and respective CVE entries [2] that have been updated to reflect corrections in affected GA version ranges as well as minimum GA versions to contain appropriate fixes for the issues at hand. The full Security Bulletin can be found here: https://cwiki.apache.org/confluence/display/WW/S2-058 The Struts Security Team stresses that while the reporters reference more affected issues and resulting affected version ranges, the Struts Security Bulletins only cover GA versions designated for production use. This led to less corrected Security Bulletins and CVE entries [2] compared to the number of covered issues in the original report. It is very important to understand that while the individual listed bulletins contain updated minimum fix versions, it is strongly recommended to update to the versions recommended by the latest Security Bulletin, which is S2-057 [3] by the time of this announcement. Following this advice, the recommended minimum Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17. The Apache Struts Security Team would like to thank the reporters for their efforts and their practice of responsible disclosure, as well as their help while investigating the report and coordinating public disclosure. [1] https://cwiki.apache.org/confluence/display/WW/Security+Bulletins [2] https://github.com/CVEProject/cvelist/pull/2423/files [3] https://cwiki.apache.org/confluence/display/WW/S2-057 -- René Gielen http://twitter.com/rgielen