A significant security vulnerability in Apache Struts 2 was addressed last week, but it is currently being exploited with publicly available proof-of-concept (PoC) code.
Struts is a widely used Java-based web application framework, favored by large corporations and government institutions. Issues in this open-source framework can have severe consequences, reminiscent of the Equifax breach in 2017, which was described as “entirely preventable.”
This flaw is designated as CVE-2024-53677 and has been assigned a high severity score of 9.5 out of 10 on the CVSS rating scale. It impacts Struts versions ranging from 2.0.0 to 2.3.37 (end-of-life), 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2.
Applications that do not utilize Struts’ File Upload Interceptor component, which was deprecated in version 6.4.0 and completely removed in version 7.0.0, remain unaffected.
Exploiting this vulnerability allows attackers to manipulate file upload parameters, leading to potential path traversal. This may enable them to upload malicious files to restricted directories, which could ultimately result in remote code execution (RCE) under specific circumstances.
As noted by security intelligence firm Qualys in their advisory, “a vulnerability like CVE-2024-53677 could have extensive repercussions,” including sensitive data breaches and full system compromises.
According to Johannes Ullrich, dean of research at SANS, attackers are actively seeking to exploit this vulnerability using this PoC code.
- Apache has released patches for the critical Struts 2 RCE vulnerability
- A large proportion of Apache Struts 2 downloads are for versions containing this serious flaw
- Equifax has been fined £11.1 million for the 2017 breach
- Recent ransomware incidents are exploiting vulnerabilities in Cleo software, with the Cl0p group (sort of) claiming responsibility
“Currently, exploit attempts are focused on identifying vulnerable systems,” Ullrich observed.
These exploit attempts are “inspired” by this vulnerability—the code can target at least two different vulnerabilities, he mentioned.
We strongly recommend that users upgrade to at least Struts version 6.4.0 (or the latest release) without delay. However, as highlighted by The Register in a recent article, this can be a complex undertaking.
Apache’s guidance released on December 12 states:
Continuing to use the outdated File Uploader exposes systems to attack risks.
Additionally, Ullrich noted that the latest vulnerability, CVE-2024-53677, appears to be linked to CVE-2023-50164, which Apache addressed in December 2023. He remarked, “The previous vulnerability shares similarities, and an incomplete patch may have resulted in the newer issue.” ®
Article has been taken from the domain: https://www.theregister.com/2024/12/17/critical_rce_apache_struts/
