A serious security flaw in Apache Struts 2, identified as CVE-2024-53677, is currently being exploited by attackers using public proof-of-concept exploits to locate susceptible devices. Apache Struts is a widely used open-source framework for Java-based web applications, utilized by industries such as government, finance, e-commerce, and aviation.

Vulnerability Details

The Apache Struts vulnerability, disclosed publicly six days ago, has been given a critical severity rating with a CVSS score of 9.5. The flaw resides in the framework’s file upload logic, enabling path traversal and the uploading of malicious files, potentially leading to remote code execution (RCE).

Affected Versions

Struts 2.0.0 to 2.3.37 (end-of-life) - Struts 2.5.0 to 2.5.33 - Struts 6.0.0 to 6.3.0.2

Explanation and Impact

This vulnerability provides an opportunity for attackers to upload dangerous files, such as web shells, into restricted directories, allowing them to remotely execute commands and exfiltrate data. This flaw bears resemblance to CVE-2023-50164, suggesting that an incomplete fix may have allowed the problem to resurface.

Active Exploitation

According to Johannes Ullrich from ISC SANS, there have been observed attempts to exploit this vulnerability, which seem to draw from publicly available exploits. The attackers are using these exploits to upload a file named "exploit.jsp" containing code that verifies successful server exploitation. Currently, these attempts have been tracked back to a single IP address, 169.150.226.162.

Mitigation Steps

Apache urges users to upgrade to Struts version 6.4.0 or later and to transition to the new file upload mechanism. It is important to note that merely applying the patch is insufficient. Users must rewrite their file upload actions to use the new Action File Upload mechanism and its related interceptor, as the outdated mechanism remains vulnerable.

Global Response

Multiple national cybersecurity agencies, including those from Canada, Australia, and Belgium, have issued public advisories, urging prompt action from software developers to address this vulnerability. The pattern of exploitation observed with this vulnerability is reminiscent of similar exploits from last year, where attackers used public exploits to compromise Struts servers for remote code execution. As such, immediate action and vigilance are crucial to safeguard systems against these ongoing threats.

The link has been copied!