We have found Apache Struts Ver 1.x (yes, these are obsolete versions) bundled
with our Oracle Weblogic & Tomcat (& possibly in Oracle Financials which we're
reviewing).
Our apps colleagues said the applications don't make use of the Struts (though
we can't say with 100% certainty if any of the apps modules developed by past
app developers who had left did call the struts.jar).
Q1:
Does the presence of struts.* mean we are vulnerable or WL or Tomcat have to
call them (or in the codes, there are references to struts) for it to be vulnerable?
Q2:
What's the best practice? To deinstall struts (since our apps colleagues said it's
not being used) or to upgrade to current version that offers patches (& keep
patching them)?
Q3:
To deinstall struts for WL, Tomcat & Oracle Financials, do we just remove the
struts.* files or is there a recommended way to deinstall? We're on Solaris
10 and RHEL6
From above url (tho I disagree with the responder Hal Cooper to hold off deletion), looks like Struts is used by
WL UI console to render the UI: I'll just confirm with our app guys that they don't need to use the UI so that
they can delete struts.
How is struts removed? Just move away the struts.* files (won't delete immediately as moving or zipping
them with password first to see what breaks)