Fork me on GitHub
Edit on GitHub

Announcements 2021

Skip to: Announcements - 2020

23 December 2021 - Struts 2.5.28.2 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.28.2 is available as a “General Availability” release. The GA designation is our highest quality grade.

This release addresses Log4j vulnerability CVE-2021-45105 by using the latest Log4j ver. 2.12.3 (Java 1.7 compatible).

Please note, that the Apache Struts itself depends on the log4j-api package only, it’s users’ responsibility to use a proper version of the log4j-core package!

Please read the Version Notes to find more details about performed bug fixes and improvements.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this upgrade.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

17 December 2021 - Struts 2.5.28.1 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability” release. The GA designation is our highest quality grade.

This release addresses Log4j vulnerability CVE-2021-45046 by using the latest Log4j 2.12.2 version (Java 1.7 compatible).

Please read the Version Notes to find more details about performed bug fixes and improvements.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this upgrade.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

12 December 2021 - Security Advice on Log4j 2.15.0

The Apache Struts Security team would like to announce that all the users using the latest Struts 2.5.x series should upgrade Log4j library to the latest 2.15.0 version which addresses the Remote-Code-Execution vulnerability CVE-2021-44228.

This version of Log4j requires Java 8, while Apache Struts 2.5.x series is still using Java 1.7 and because of that we cannot prepare a new patched 2.5.x version. Yet, in most cases this is a drop-in upgrade as Log4j 2.15.0 maintains binary compatibility with previous releases - once you are running on Java 8. In case you are not able to upgrade Log4j, please use one of the described mitigations.

More information can be found here.

All developers are strongly advised to perform this action.

12 December 2021 - Struts 2.5.28 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.28 is available as a “General Availability” release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Below is a full list of all changes:

Please read the Version Notes to find more details about performed bug fixes and improvements.

All developers are strongly advised to perform this upgrade.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

16 November 2021 - Struts 2.5.27 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.27 is available as a “General Availability” release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Below is a full list of all changes:

Please read the Version Notes to find more details about performed bug fixes and improvements.

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

19 February 2021 - Struts Security Impact Levels

The Apache Struts Security team would like to announce Security Impact Levels which will be used to rate any future Security Bulletins. We also updated the current Security Bulletins to match the levels. Below is the list of the updated bulletins with a new Maximum security rating.

All developers are strongly advised to read about new Security Impact Levels.

Skip to: Announcements - 2020

Next: Kickstart FAQ