Proof-of-Concept Released for Critical Apache Struts Vulnerability
CVE-2024-53677 could allow unauthenticated remote code execution, path traversal or upload of malicious files
Summary
CVE-2024-53677 could allow unauthenticated remote code execution, path traversal or upload of malicious files
Affected platforms
The following platforms are known to be affected:
Threat details
End-of-life versions and new file upload mechanism
Apache has stated Struts versions 2.0.0 through 2.3.37 are end-of-life (EOL) and are no longer supported.
CVE-2024-53677 is a vulnerability in the File Upload Interceptor, and as of Struts version 6.4.0 this interceptor has been deprecated, and removed entirely in version 7.0.0. Applications not using File Upload Interceptor are not considered vulnerable. Apache advises organisations upgrading to the latest version of Struts must also rewrite applications to replace the File Upload Interceptor with the new file upload mechanism in order to fully remediate.
Introduction
Apache has released a security bulletin addressing a critical vulnerability in Apache Struts 2. Apache Struts is an open-source model-view-controller (MVC) framework for creating Java web applications.
CVE-2024-53677 is a 'Unrestricted Upload of File with Dangerous Type' vulnerability and has a CVSSv4 score of 9.5. This vulnerability exists in the File Upload Interceptor, which allows developers easy access to file upload support. If CVE-2024-53677 is exploited, a remote unauthenticated attacker could traverse system paths, upload malicious files and perform remote code execution (RCE).
Proof-of-Concept code released for CVE-2024-53677
A public proof-of-concept is available for CVE-2024-53677. Exploitation is considered more likely.
Remediation advice
Affected organisations are encouraged to review the Apache security bulletin S2-067, upgrade to Apache Struts version 6.4.0 or higher, and migrate to the new file upload mechanism for continued functionality.
Remediation steps
Type | Step |
---|---|
Patch |
Upgrade Apache Struts to version 6.4.0 or higher. https://cwiki.apache.org/confluence/display/WW/S2-067 |
Action |
For continued file upload functionality organisations must migrate from the File Upload Interceptor (deprecated as of Struts 6.4.0) to the new Action File Upload Interceptor (available since Struts 6.4.0). NOTE: Apache states 'this change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Using the old File Upload mechanism keeps you vulnerable to this attack.' https://struts.apache.org/core-developers/action-file-upload-interceptor |
Definitive source of threat updates
Last edited: 17 December 2024 2:31 pm