Due to an incomplete fix for CVE-2014-0113 (CVE described in Techzone article [1]), Apache Struts2 version 2.0.0 up to 2.3.16.2 does not block direct access to Java class properties when CookieInterceptor is used.
The cookie store of Airlock, which is active by default, protects back-ends from malicious cookies send by an attacker by removing the cookies from the request. Therefore Airlock prevents the exploitation of this vulnerabiliy.
If you have configured passthrough cookies in Airlock, especially using wildcard characters, we recommend to upgrade struts2 to version 2.3.16.3 or higher.