RCE Vulnerability in Apache Struts Actively Exploited

Apache Struts, a popular open-source framework used for developing Java-based web applications, has been found to contain a new vulnerability (CVE-2024-53677) that is already being actively exploited by attackers. Using publicly available Proof of Concept (PoC) code, they can upload and execute malicious files on servers.

Apache Struts is a free and open-source MVC (Model-View-Controller) framework designed to create modern and efficient Java web applications.

This vulnerability stems from a logical flaw in the file upload mechanism. Attackers can manipulate file upload parameters to exploit the “path traversal” vulnerability, allowing them to upload malicious files to the server and use them to execute remote code (RCE).

According to Apache:

“An attacker can manipulate file upload parameters to exploit the path traversal vulnerability, which under certain conditions allows them to upload and execute a malicious file remotely.”

This vulnerability is similar to a previously reported issue, S2-066, and poses a significant risk to applications relying on the vulnerable file upload mechanism.

Dr. Johannes B. Ullrich, Dean of Research at SANS, stated that CVE-2024-53677 appears to be related to CVE-2023-50164. It is believed that an incomplete patch for the earlier vulnerability led to this new issue. Furthermore, PoC exploit code for this vulnerability has already been published, and there are active attempts to exploit it to identify vulnerable systems.

The vulnerability affects the following versions of Apache Struts:

• Struts 2.0.0 – Struts 2.3.37 (End of Life, no longer supported)
• Struts 2.5.0 – Struts 2.5.33
• Struts 6.0.0 – Struts 6.3.0.2

It is important to note that applications not using the FileUploadInterceptor mechanism are not affected by this vulnerability.

The vulnerability has been classified as critical due to its ability to allow remote execution of arbitrary code.

To protect systems, it is recommended to take the following measures:

1. Upgrade to Apache Struts version 6.4.0 or later. The latest version introduces a new file upload mechanism that addresses the vulnerability.
2. Adopt the Action File Upload Interceptor. Migrating to the updated file upload mechanism is essential to safeguard applications from such attacks.

It should be noted that the new file upload mechanism is not backward-compatible, requiring developers to rewrite application actions accordingly.

Currently, there are no alternative solutions to mitigate this vulnerability. Applications relying on the outdated file upload mechanism will remain vulnerable until updated.

Organizations using Apache Struts are strongly urged to take immediate action to protect their systems from this critical vulnerability. Failing to update may expose applications to significant risks, including unauthorized access and control by attackers.