In August 2019, the Black Duck Cybersecurity Research Center (CyRC) coordinated with the Apache Software Foundation to publish Apache Struts Security Advisory S2-058. The advisory represents research undertaken in Belfast that focused on 64 vulnerabilities through 115 versions of Struts, identifying roughly 50 affected versions per vulnerability. We wanted to share our experiences in a series of blog posts.

This blog series is for a technical audience. It discusses insights, problems we encountered, and solutions we came up with during the project:

Part 1: Building a decade’s worth of Apache Struts versions and their nuances

Part 2: Execution environments

Part 3: Exploitation

Part 4: Version validations and why it’s a lot harder than expected

Part 5: Wrapping up and some insights

This is the second blog post in the series. We recommend looking at the first post if you haven’t had a chance.