The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload CVE-2017-5638
via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string CVE-2017-5638
Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions. apache.org — September 9, 2017
Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. apache.org — September 9, 2017
Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless apache.org — September 9, 2017
Establish security layers. It is good software engineering practice to have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017
Establish monitoring for unusual access patterns to your public Web resources. We recommend such monitoring as good operations practice for business critical Web- based services. apache.org — September 9, 2017
I have talked to other software companies and people in this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right? Rep Greg Walden October 3, 2017