Announcements 2021
Skip to: Announcements - 2020
23 December 2021 - Struts 2.5.28.2 General Availability
The Apache Struts group is pleased to announce that Struts 2.5.28.2 is available as a “General Availability” release. The GA designation is our highest quality grade.
This release addresses Log4j vulnerability CVE-2021-45105 by using the latest Log4j ver. 2.12.3 (Java 1.7 compatible).
Please note, that the Apache Struts itself depends on the log4j-api package only, it’s users’ responsibility to use a proper version of the log4j-core package!
Please read the Version Notes to find more details about performed bug fixes and improvements.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
All developers are strongly advised to perform this upgrade.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
17 December 2021 - Struts 2.5.28.1 General Availability
The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability” release. The GA designation is our highest quality grade.
This release addresses Log4j vulnerability CVE-2021-45046 by using the latest Log4j 2.12.2 version (Java 1.7 compatible).
Please read the Version Notes to find more details about performed bug fixes and improvements.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
All developers are strongly advised to perform this upgrade.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
12 December 2021 - Security Advice on Log4j 2.15.0
The Apache Struts Security team would like to announce that all the users using the latest Struts 2.5.x series should upgrade Log4j library to the latest 2.15.0 version which addresses the Remote-Code-Execution vulnerability CVE-2021-44228.
This version of Log4j requires Java 8, while Apache Struts 2.5.x series is still using Java 1.7 and because of that we cannot prepare a new patched 2.5.x version. Yet, in most cases this is a drop-in upgrade as Log4j 2.15.0 maintains binary compatibility with previous releases - once you are running on Java 8. In case you are not able to upgrade Log4j, please use one of the described mitigations.
More information can be found here.
All developers are strongly advised to perform this action.
12 December 2021 - Struts 2.5.28 General Availability
The Apache Struts group is pleased to announce that Struts 2.5.28 is available as a “General Availability” release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
Below is a full list of all changes:
- [WW-5149] - labelposition attribute broken in Struts 2.5.27
Please read the Version Notes to find more details about performed bug fixes and improvements.
All developers are strongly advised to perform this upgrade.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
16 November 2021 - Struts 2.5.27 General Availability
The Apache Struts group is pleased to announce that Struts 2.5.27 is available as a “General Availability” release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
Below is a full list of all changes:
- PostbackResult uses wrong regex range
%{id}
evaluates different for data-* and value attribute- Blocking Threads in retrieving text from resource bundle
- Contention when injecting
Scope.SINGLETON
instances - CheckboxTag value missing for labelposition
- forbidden name attribute values (size, clone…?) in
<s:textfield>
using the default theme - ID param not being set
- Make labelposition deprecated
- Make class attribute deprecated
- Fix the compilation alarms of deprecated methods
- OGNL long conversion
- Upgrade XStream to version 1.4.16
Please read the Version Notes to find more details about performed bug fixes and improvements.
All developers are strongly advised to perform this action.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
19 February 2021 - Struts Security Impact Levels
The Apache Struts Security team would like to announce Security Impact Levels which will be used to rate any future Security Bulletins. We also updated the current Security Bulletins to match the levels. Below is the list of the updated bulletins with a new Maximum security rating.
- S2-060 Medium -> Moderate
- S2-056 Medium -> Moderate
- S2-055 High -> Important
- S2-054 Medium -> Moderate
- S2-051 Medium -> Moderate
- S2-049 High -> Important
- S2-048 High -> Important
- S2-042 High -> Important
- S2-040 Medium -> Moderate
- S2-039 Medium -> Moderate
- S2-038 Medium -> Moderate
- S2-037 High -> Important
- S2-036 Medium -> Moderate
- S2-033 High -> Important
- S2-032 High -> Important
- S2-031 Medium -> Moderate
- S2-026 High -> Important
- S2-024 Medium -> Moderate
- S2-023 Medium -> Moderate
- S2-022 Medium -> Moderate
- S2-021 High -> Important
- S2-016 Highly Critical -> Critical
- S2-015 Highly Critical -> Critical
- S2-014 Highly Critical -> Critical
- S2-013 Highly Critical -> Critical
- S2-012 Moderately Critical -> Important
All developers are strongly advised to read about new Security Impact Levels.
Skip to: Announcements - 2020
Next: Kickstart FAQ