Critical security hole in Apache Struts under exploit

A critical security hole in Apache Struts 2 – patched last week – is currently being exploited using publicly available proof-of-concept (PoC) code.

Struts is a Java-based web application framework widely used by large enterprises and government agencies. Bugs in this open source project do not tend to end well – remember the “entirely preventable” Equifax breach in 2017?

The flaw is tracked as CVE-2024-53677, it received a 9.5 out of 10 CVSS risk rating, and it affects Struts versions 2.0.0 to 2.3.37 (end-of-life), 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2.

Applications that don’t use Struts’ File Upload Interceptor component – which was deprecated in version 6.4.0 and removed entirely in 7.0.0 – are safe.

Attackers can exploit the bug to manipulate file upload parameters and enable path traversal. This can be abused to upload malicious files into restricted directories, and can lead to remote code execution (RCE) under certain conditions.

As security intelligence and automation vendor Qualys warned in its advisory, “a vulnerability like CVE-2024-53677 could have far-reaching implications” – such as loss of sensitive data, complete system compromise.

And according to infosec education outfit SANS’s dean of research Johannes Ullrich, attackers are actively trying to exploit this vulnerability using this POC code.

“At this point, the exploit attempts are attempting to enumerate vulnerable systems,” Ullrich noted.

Or at least, the exploit attempts are “inspired” by this bug – there are at least two vulnerabilities that could be targeted using this code, he added.

Regardless, we’d strongly suggest users update to at least Struts 6.4.0 (or the latest version) immediately. However, as The Register reported last week, that’s not a simple job.

Here’s what Apache advised in its December 12 disclosure:

Continuing to use the old File Uploader leaves you vulnerable to the attack.

As Ullrich also pointed out, the new vulnerability – CVE-2024-53677 – seems to be related to CVE-2023-50164, which Apache fixed in December 2023. “The older vulnerability is similar,” he wrote, “and an incomplete patch may have led to the newer issue.” ®

READ MORE HERE