Struts isn't a stand alone program but a framework, typically seen as project dependency which supports web development on the JVM.
I don't know the answer to 1) [although I will at the end go though the process I would attempt to find such programs]. 2) No. Struts2 [which is different code base from struts v1, and does not share the same issues] is a Java Web Framework, it will run on any JEE compliant web server, and will run on embedded web servers such as Jetty. 3) No. And the program list will not determine if the program uses the struts framework. How I would attempt to determine the issue: Most programs will not have been obfuscated (which may make determining this much harder). Java applications are typically packaged as JAR, WAR, or EAR. These are all just zip files. I would automate the process to scan for all such files, open them recursively travel their internal folder structure and search for either struts.xml OR struts2-core-*.jar where "*" is a version number, and accumulate all such files and or paths to these files into a plain text document and then check them by hand [to determine the version of struts, and determine if it has the security exploit and/or is exploitable (if it is isn't accessible to the outside world generally it isn't a concern, of course this depends company size and the nature of what is being secured)]. Some assumptions could be made about the internal project structure that could save a great deal of time but because of build differences these shortcuts (assuming what folder libraries are stored in) could cause you to miss something so it is probably best to just search everything. On Wed, Sep 6, 2017 at 4:56 PM, Sean Son <linuxmailinglistsem...@gmail.com> wrote: > Hello all > > I am new to the mailing list as well as new to Apache Struts. We all heard > in the news about the vulnerability affecting Apache Struts. I have been > tasked to determine which of our servers have Struts running on them. I > have a few questions on how to determine if a server is running Struts or > not: > > 1) How does one determine if a Windows server, running IIS, has the Apache > Struts framework installed on it? > > 2) Does Apache Struts only run on Apache Webserver and Tomcat? > > 3) Is there a simple way to determine if a server has Struts installed, > instead of logging into each of the servers and checking the programs list? > > > I appreciate ALL help! > > > Thanks > > Sean > -- Sent from my C64 using a 300 baud modem
