An Apache struts2 vulnerability has been released which allows accessing Java class properties by injecting special crafted parameter names containing the string class. This vulnerability is a modified version of the vulnerability described in [2]
Affected Struts2 versions are 2.0.0 up to 2.3.16.1
Airlock is not affected because Apache Struts2 is not installed/used in Airlock.
If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.16.2 or higher or to apply the workaround described in [1].
If you can't update struts2 or apply the workaround you can configure a case-insensitive deny rule with the following parameter name pattern, and enable the deny rule on the affected mapping.
\[["']class["']\]
(^|\.)class[.\[]
The first pattern blocks parameter names of the form class.classLoader or Object.classLoader
The second pattern blocks parameter names of the form Object['class'] or Object["class"]