Remote Code Execution
It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying configurations and, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have a value and action set and, its upper action(s) configurations have no or wildcard namespace.
Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16
Verify that you have set (and never always not forgot to set) namespace, if applicable, for all defined results in underlying configurations. Also, verify that you have set (and never forget always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.
Sonatype recommends upgrading to Apache Struts version 2.3.35 or 2.5.17. If necessary, the workaround can be used, but is not recommended.
Unbounded Memory Allocation/Denial of Service attack
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Guava classes accept a caller-specified size parameter, this is what attacker will leverage. By tampering with the request and supplying a request for an abnormally large amount of server memory, much more than is needed to deserialize the object, the request could overwhelm the server and lead to a denial of service.
Google Guava - need actual components
Set a limit on the size of the object graph that servers will accept. For Java, narrow the classes that can be deserialized from “any class available” to an application, down to a context-appropriate set of classes. If possible, immediately upgrade to Guava 24.1.1 and Guava 25.0 to eliminate the eager allocation of the arrays
Apache Tomcat is vulnerable to Information Disclosure, as it sends the response of a "send file" request (request "A") in response to another request (request "B") that is in the pipeline when the processing of the previous request is completed. An attacker can exploit this vulnerability by sending a request to the targeted system while other requests are being processed. This could allow the attacker to gain sensitive information due to the incorrect response sent when processing of a previous request has completed.
org.apache.tomcat: tomcat-coyote, coyote
org.jboss.web: jbossweb jboss.web:jbossweb
Recommend upgrading to a component version not impacted by this vulnerability.