Apache Struts Zero Day Not Fixed By Patch

Trailrunner7 (1100399) writes "The Apache Software Foundation released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts did not fully patch the bug in question. Officials said a new patch is in development and will be released likely within the next 72 hours, said Rene Gielen of the Apache Struts team. On March 2, a patch was made available for a ClassLoader vulnerability in Struts up to version 2.3.16.1. An attacker would be able to manipulate the ClassLoader via request parameters. Apache said the fix was insufficient to repair the vulnerability."

Of course, the warning is three days old

[Anonymous Coward]

So... the patch should be out any moment.

All zero-day...

[Ksevio]

Isn't that the case for all zero-day exploits? If it were already patched then it wouldn't really fit the criteria.

Gee...

[ericloewe]

Must they absolutely advertise their bugs before they're fixed? Nothing wrong with being open after it's been patched, but this is like "Hey, we tried to fix a bug and failed, so you can totally go check our non-fix to figure out how to exploit this!"

Good thing...

[Bill_the_Engineer]

Apache struts announced another general availability release [apache.org] that has the fix on April 24th.

This is why you shouldn't read a blog post when the source material is just as easy to read.

What? There is still an Apache Struts?

[hax4bux]

How about that?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why would they strut something like that?

[jeffb (2.718)]

...never mind. </EmilyLitella>