Uploaded image for project: 'Velocity Tools'
  1. Velocity Tools
  2. VELTOOLS-171

Remove Struts dependency

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0, 2.0.x, 2.x
    • Fix Version/s: 3.0
    • Component/s: VelocityStruts
    • Labels:
    • Flags:
      Important

      Description

      Please upgrade struts to a supported, secure version. At this time, that means upgrading to 2.3.32 or 2.5.10.1

      vulnerabilities

      There are publicly known high severity vulnerabilities, including remote code execution vulns, affecting all versions of Struts 2 except the versions cited above.

      support

      Apache struts 1 reached end of life in the year 2000, but VelocityTools depends upon Struts 1.3.8.

      When vulnerabilities are discovered in unsupported software, the industry standard response is "you need to patch to a supported version." If you get too far behind in patch levels, then it may be very difficult to upgrade due to broken backwards compatibility.

      Furthermore, when vulnerabilities are discovered in supported software, there is no industry standard for determining if it affects unsupported versions. It's entirely possible that there are known vulnerabilities that affect the unsupported Struts 1.3.8 required by Velocity, and nobody will know until they're breached. On the other hand, when there's a supported major version, it's a de-facto industry standard to announce all supported versions that are affected. This means that staying on a supported version increases the chances of seeing vulnerability announcements for vulns that affect Velocity. It also means that staying on an unsupported version is considered equivalent to staying on a known vulnerable version.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cbrisson Claude Brisson
                Reporter:
                tsohlacol Aaron Katz
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: