Critical security hole in Apache Struts under exploit
You applied the patch that could stop possible RCE attacks last week, right?
A critical security hole in Apache Struts 2 – patched last week – is currently being exploited using publicly available proof-of-concept (PoC) code.
Struts is a Java-based web application framework widely used by large enterprises and government agencies. Bugs in this open source project do not tend to end well – remember the "entirely preventable" Equifax breach in 2017?
The flaw is tracked as CVE-2024-53677, it received a 9.5 out of 10 CVSS risk rating, and it affects Struts versions 2.0.0 to 2.3.37 (end-of-life), 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2.
Applications that don't use Struts' File Upload Interceptor component – which was deprecated in version 6.4.0 and removed entirely in 7.0.0 – are safe.
Attackers can exploit the bug to manipulate file upload parameters and enable path traversal. This can be abused to upload malicious files into restricted directories, and can lead to remote code execution (RCE) under certain conditions.
As security intelligence and automation vendor Qualys warned in its advisory, "a vulnerability like CVE-2024-53677 could have far-reaching implications" – such as loss of sensitive data, complete system compromise.
And according to infosec education outfit SANS's dean of research Johannes Ullrich, attackers are actively trying to exploit this vulnerability using this POC code.
- Apache issues patches for critical Struts 2 RCE bug
- Four in five Apache Struts 2 downloads are for versions featuring critical flaw
- Equifax scores £11.1M slap on wrist over 2017 mega breach
- Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility
"At this point, the exploit attempts are attempting to enumerate vulnerable systems," Ullrich noted.
Or at least, the exploit attempts are "inspired" by this bug – there are at least two vulnerabilities that could be targeted using this code, he added.
Regardless, we'd strongly suggest users update to at least Struts 6.4.0 (or the latest version) immediately. However, as The Register reported last week, that's not a simple job.
Here's what Apache advised in its December 12 disclosure:
This change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor.
Continuing to use the old File Uploader leaves you vulnerable to the attack.
As Ullrich also pointed out, the new vulnerability – CVE-2024-53677 – seems to be related to CVE-2023-50164, which Apache fixed in December 2023. "The older vulnerability is similar," he wrote, "and an incomplete patch may have led to the newer issue." ®