Apache issues patches for critical Struts 2 RCE bug

We now know the remote code execution vulnerability in Apache Struts 2 disclosed back in November carries a near-maximum severity rating following the publication of the CVE.

According to the National Vulnerability Database (NVD), which published the CVE on Wednesday, Apache scored CVE-2024-53677 a 9.5 using the CVSSv4 framework while Tenable noted a 9.8 rating using CVSSv3 – take your pick. 

Considering remote attackers could exploit the vulnerability without requiring any privileges, combined with the high impact to system confidentiality, integrity, and availability, it's likely the Apache Foundation withheld the juiciest details to allow customers to upgrade to a safe version (Struts 6.4.0 or greater).

Given a Struts bug was linked to the "entirely preventable" Equifax breach in 2017, it makes sense to be on the safe side.

There is also no workaround available for CVE-2024-53677. It's a patch-or-nothing situation.

Describing the flaw, Apache said in its advisory: "An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform remote code execution."

Affected versions include: 

• Struts 2.0.0… Struts 2.3.37 (EOL)

• Struts 2.5.0… Struts 2.5.33

• Struts 6.0.0… Struts 6.3.0.2

Crucially, applications that don't use Struts' File Upload Interceptor component, which was deprecated as of version 6.4.0 and removed entirely in 7.0.0, are not affected.

• Four in five Apache Struts 2 downloads are for versions featuring critical flaw
• Equifax scores £11.1M slap on wrist over 2017 mega breach
• Equifax software bug messed up credit score calculations for weeks
• Apache says Struts 2 security bug wasn't fully fixed in 2020

As part of the upgrade process, users were also advised to update their file upload mechanism to Action File Upload Interceptor, which replaced the aforementioned component as of version 6.4.0. File Upload Interceptor was deprecated for various reasons related to configuration options, security, performance, and integration capabilities.

Upgrading this mechanism isn't as easy as applying a simple update. Users will have to rewrite their actions to ensure compatibility with Action File Upload but the alternative isn't acceptable. As Apache notes: "Using the old File Upload mechanism keeps you vulnerable to this attack."

Despite web app developers often opting for different frameworks nowadays, Struts 2 remains widely popular. When Sonatype looked at CVE-2023-50164 last year, a similar vulnerability to CVE-2024-53677 both in nature and criticality, it noted that Struts 2 received around 300,000 download requests a month and 80 percent of those contained the critical bug.

CISA lists eight Apache Struts vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, seven of which lead to remote code execution and one – CVE-2017-5638 (the Equifax one) – known to be used in ransomware attacks. ®