While Mo initially discovered the vulnerability in April, code wasn't changed until June. Patches, reflected in version 2.3.35 and 2.5.17 of Struts, arrived Wednesday.

Semmle warned Wednesday that even if an application isn't currently vulnerable, an "inadvertent change to a Struts configuration file may render the application vulnerable in the future."

It's the first time the Apache Struts Team is urging developers to upgrade the framework since March when it updated the Commons FileUpload library to prevent remote code execution attacks and fixed an issue that could have exposed publicly accessible web sites from denial of service attacks.

The reverberations around last fall's Equifax breach were seemingly endless - and expensive, the company said costs could reach in excess of $600 million – it apparently did little to shift consumers' general perceptions around data breaches and identity theft.

Researchers evaluated consumers' mental models of credit bureaus in an academic paper (.PDF) published this month by the University of Michigan's School of Information. In a series of semi-structured interviews with 24 participants the academics found that many respondees failed to look into whether or not they were even affected by the breach. Even fewer took actions to prevent identity theft, like freezing their credit following the breach.

"The high portion of participants who were unaware of available protective measures suggests insufficient knowledge as a primary reason for inaction. Only 3 participants correctly described fraud alerts, and all of them learned it from being affected by previous data breaches and being offered the service as compensation. The remaining participants either said they did not know what fraud alerts were, or associated fraud alerts with alerts sent from banks and credit card companies when fraudulent activities occur," the paper's authors wrote.

Apache Software Foundation feather image via rbowen's Flickr photostream, Creative Commons