...
Verify that you have set (and always not forgot to set) namespace
(if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value
or action
for all url
tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace
.
Struts 1
As we do not perform any tests against Struts 1 (Struts 1 was announced EOL) we cannot confirm that this version of Struts is not affected by the vulnerability. An example PoC was using an OGNL expression to perform RCE attack, so you can assume Struts 1 is safe as it doesn't base on OGNL.