A critical security vulnerability has been identified in Apache Struts, a popular open-source framework for building Java-based web applications actively used in attacks leveraging publish PoC that allows attackers to execute malicious files on the server.
Apache Struts is a free, open-source MVC framework for creating elegant, modern Java web applications. The vulnerability, tracked as CVE-2024-53677, exposes affected systems to Remote Code Execution (RCE) attacks, making it imperative for developers and organizations to take immediate action.
“An attacker can manipulate file upload parameters to enable path traversal and under some circumstances this can lead to uploading a malicious file that can be used to perform remote code execution.” Apache stated.
Vulnerability Details
The issue stems from a flaw in the file upload logic of Struts, which allows attackers to exploit path traversal vulnerabilities.
By manipulating file upload parameters, an attacker can potentially upload malicious files that may lead to RCE under certain conditions.
This vulnerability is similar to a previously reported issue, S2-066, and poses a significant threat to applications using the vulnerable file upload mechanism.
According to Johannes B. Ullrich, Ph.D. , Dean of Research, SANS, the vulnerability, CVE-2024-53677, appears to be related to CVE-2023-50164. The older vulnerability is similar, and an incomplete patch may have led to the newer issue. PoC exploits have been released.
“we are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems”.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Impact and Affected Versions
The vulnerability affects the following versions of Apache Struts:
- Struts 2.0.0 – Struts 2.3.37 (End of Life)
- Struts 2.5.0 – Struts 2.5.33
- Struts 6.0.0 – Struts 6.3.0.2
Applications that do not use the FileUploadInterceptor are not impacted by this vulnerability.
The vulnerability has been classified as Critical, given its potential to allow attackers to execute arbitrary code remotely.
To mitigate this risk, developers and organizations are strongly advised to:
- Upgrade to Apache Struts 6.4.0 or later: The latest version introduces a new file upload mechanism that addresses the vulnerability.
- Adopt the Action File Upload Interceptor: Migrating to this updated mechanism is essential for securing applications against this type of attack.
It is important to note that this update is not backward compatible, meaning developers will need to rewrite their actions to implement the new file upload mechanism.
No Workaround Available
There is currently no workaround for this vulnerability. Applications relying on the old file upload mechanism will remain vulnerable until they are updated.
The vulnerability was reported by security researcher Shinsaku Nomura, who identified the flaw and its potential impact on affected systems.
Organizations using Apache Struts are urged to act swiftly to safeguard their systems against this critical security flaw. Failure to upgrade could leave applications exposed to severe risks, including unauthorized access and control by malicious actors.
For more information and detailed upgrade instructions, refer to the official Apache Struts documentation or contact your system administrator immediately.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free