AFAIK, no part of the WPE uses apache struts so FMS would not be vulnerable. WebDirect still uses VAADIN as it's rendering core.
None of my FMS15 installs have apache struts installed or enabled.
I would heed to confirm that on your server though separately, and wait for someone official with FMI, like TSPigeon to give an official response.
It doesn't "appear" that struts is used, but struts is part of Apache Foundation Jakarta which is definitely used in FMS. For example, a recent log file shows :
2017-03-15 06:35:02 188.8.131.52 POST /admin-server/adminhelper.wpe X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=f5c7e320-6d25-4159-8d4b-55e1d38fa187&SERVER-STATUS=200 16000 - 184.108.40.206 Jakarta+Commons-HttpClient/3.0.1 200 0 0 15
I think that in the interest of disclosure, FileMaker should make a statement either way.
Do people still use Apache Struts?
Haven't seen Struts mentioned in a long time (kind of like Tapestry). It's mostly a Spring/Hibernate world these days. What I didn't like about Struts 1.x was that it's web-app only. And, it doesn't hide (abstract) the framework internals (like Spring does) in your Java code.
In any case, sorry, I didn't answer your question, but they did above.
Have you had any official statements from development on this issue?