There's a critical remote commands execution vulnerability in XWork(used by
Struts2), which fixed in 2.2.0, which isn't released yet but can be
downloaded here: http://people.apache.org/builds/struts/2.2.0/

More details about this vulnerability can be found here:
http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

Meder