Our security team pointed out a vulnerability related to the struts framework in devtest10.2 that we’ve been asked to resolve.
The location of the vulnerability is – /opt/lisa/devtest-10.2/examples_src/demoapps/lisabank/WEB-INF
They want us to upgrade the version of struts or get rid of the code.
Can you please help us with a resolution on this?
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Since the vulnerability has been detected on the DemoApps, we suggest that you choose to remove the /opt/lisa/devtest-10.2/examples_src/demoapps folder if you are not using it.
This way the risk due to the vulnerability could be mitigated immediately and we will take up a proper fix for the original issue in our next release.