troubleshooting Question

struts bundled in WL & Tomcat : are we vulnerable & how to deinstall

Avatar of sunhux
sunhux asked on
Vulnerabilities* WeblogicJava App ServersSecurity
5 Comments3 Solutions299 ViewsLast Modified:
We have found Apache Struts Ver 1.x (yes, these are obsolete versions) bundled
with our Oracle Weblogic & Tomcat (& possibly in Oracle Financials which we're

Our apps colleagues said the applications don't make use of the Struts (though
we can't say with 100% certainty if any of the apps modules developed by past
app developers who had left did call the struts.jar).

Does the presence of struts.* mean we are vulnerable or WL or Tomcat have to
call them (or in the codes, there are references to struts) for it to be vulnerable?

What's the best practice?  To deinstall struts (since our apps colleagues said it's
not being used) or to upgrade to current version that offers patches (& keep
patching them)?

To deinstall struts for WL, Tomcat & Oracle Financials, do we just remove the
struts.* files or is there a recommended way to deinstall?  We're on Solaris
10 and RHEL6
David Favor
Fractional CTO
Join our community to see this answer!
Unlock 3 Answers and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 3 Answers and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros