STRUTS 2.x Vulnerability - CVE-2017-5638

Updated March 27, 2017

On Sunday, March 19th, 2017, Apache announced a critically rated vulnerability around its STRUTS 2 Framework. This vulnerability will permit unauthenticated, remote code execution on the Apache server.  Vulnerable Struts versions are:

  • Apache Struts 2.3.5 - Struts 2.3.31 [3]
  • Apache Struts 2.5 - Struts 2.5.10

Apache later that week announced a patch for this vulnerability.

What has Ceridian done?
Ceridian performed a review of our Apache systems looking for these specific versions. 

Conclusion:
Based upon that review, Ceridian has concluded it is not vulnerable to the STRUTS 2.x vulnerability.