Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Struts Zero Day Not Fixed By Patch

Posted by samzenpus on Sunday April 27, 2014 @01:25AM from the protect-ya-neck dept.

Trailrunner7 (1100399) writes "The Apache Software Foundation released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts did not fully patch the bug in question. Officials said a new patch is in development and will be released likely within the next 72 hours, said Rene Gielen of the Apache Struts team. On March 2, a patch was made available for a ClassLoader vulnerability in Struts up to version 2.3.16.1. An attacker would be able to manipulate the ClassLoader via request parameters. Apache said the fix was insufficient to repair the vulnerability."

4 of 15 comments (clear)

Min score:

Reason:

Sort:

Gee... by ericloewe · 2014-04-27 03:06 · Score: 2

Must they absolutely advertise their bugs before they're fixed? Nothing wrong with being open after it's been patched, but this is like "Hey, we tried to fix a bug and failed, so you can totally go check our non-fix to figure out how to exploit this!"
Good thing... by Bill_the_Engineer · 2014-04-27 03:12 · Score: 4, Insightful

Apache struts announced another general availability release that has the fix on April 24th.
This is why you shouldn't read a blog post when the source material is just as easy to read.

--
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
What? There is still an Apache Struts? by hax4bux · 2014-04-27 03:18 · Score: 4, Funny

How about that?
Comment removed by account_deleted · 2014-04-27 03:56 · Score: 5, Insightful

Comment removed based on user account deletion