We have found Apache Struts Ver 1.x (yes, these are obsolete versions) bundled
with our Oracle Weblogic & Tomcat (& possibly in Oracle Financials which we're
Our apps colleagues said the applications don't make use of the Struts (though
we can't say with 100% certainty if any of the apps modules developed by past
app developers who had left did call the struts.jar).
Does the presence of struts.* mean we are vulnerable or WL or Tomcat have to
call them (or in the codes, there are references to struts) for it to be vulnerable?
What's the best practice? To deinstall struts (since our apps colleagues said it's
not being used) or to upgrade to current version that offers patches (& keep
To deinstall struts for WL, Tomcat & Oracle Financials, do we just remove the
struts.* files or is there a recommended way to deinstall? We're on Solaris
10 and RHEL6
From above url (tho I disagree with the responder Hal Cooper to hold off deletion), looks like Struts is used by
WL UI console to render the UI: I'll just confirm with our app guys that they don't need to use the UI so that
they can delete struts.
How is struts removed? Just move away the struts.* files (won't delete immediately as moving or zipping
them with password first to see what breaks)