Apache Struts security update disables vulnerable feature

Version of the development framework also fixes an issue with the action mapping mechanism

A new version of the Apache Struts development framework released Friday fixes two problems that had developers worried.

Apache Struts is a popular open-source framework for developing Java-based Web applications and is maintained by the Apache Software Foundation. The newly released Struts fixes issues that the software's developers had flagged as important.

A mechanism called the Dynamic Method Invocation (DMI) that's known to be a source of possible security vulnerabilities is disabled by default in the new Struts version.

The feature was enabled in previous versions, but users were advised to switch it off if possible. This can be done by setting the struts.enable.DynamicMethodInvocation option to false in struts.xml.

As a result of this latest change, developers who maintain applications that rely heavily on DMI might need to refactor them if they upgrade to Struts version

The new release also addresses an issue with the "action:" prefix of the action mapping mechanism that can be used to attach navigation information to buttons within forms.

"In Struts 2 before, under certain conditions this can be used to bypass security constraints," the Struts developers said in a security advisory.

Additional details about this problem have been intentionally withheld for security reasons until a large number of users upgrade to the new version.

The Struts default action mapping mechanism has been a source of critical security vulnerabilities in the past. Version of the framework released in July added code to sanitize "action:"-prefixed information and completely removed support for the "redirect:" and "redirectAction:" prefixes.

One alternative is for developers to write their own action mapping implementation and stop using the "action:" prefix completely if their applications don't need support for multiple submit buttons, the Struts developers said.

Client-side Java attacks have been under the spotlight this year, but Java Web applications, including those created with Struts, can also be a target for hackers.

Last month, researchers from security vendor Trend Micro warned that attackers from China are using an automated tool to exploit known Struts vulnerabilities to break into servers that host applications developed with the framework.

Join the PC World newsletter!

Error: Please check your email address.

Tags patchesapplication developmenttrend microsecuritypatch managementsoftwareApache Software FoundationExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Deals on PC World

Deals on PC World


Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs


Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?