Apache has released Struts version 2.3.20 which merges various security fixes and extends an existing security mechanism to block access to given Java packages and Classes.
4edeb149fb5476c15913f77c9224f8266c491df7c2ab120e76888d96b6fcea29
Struts version 2.3.16.3 has been released to extend excluded params to avoid manipulation via the CookieInterceptor.
748de2985bf1e534b05c23a1ad4db03041643d976022e32385f24f6ac7ed6d3a
Apache Struts version 2.3.16.2 GA has been released to address ClassLoader security vulnerabilities.
1331886b3f8fd61bb499958c12f3d2ecbc179c9096709e2979167e1fcd693688