Cybersecurity experts have raised alarms over a newly uncovered vulnerability affecting Apache Struts, a widely used framework in enterprise applications. This flaw, tracked as CVE-2024-53677, enables threat actors to execute remote code, posing significant risks to organizations utilizing vulnerable versions.
With a CVSS severity score of 9.5 out of 10, this vulnerability is classified as critical. It bears similarities to another serious flaw fixed by developers in December 2023, referenced as CVE-2023-50164, which was also actively exploited shortly after its announcement. Given the critical nature of these vulnerabilities, the potential for widespread exploitation raises urgent concerns among IT security professionals.
As reported by the Apache advisory, the vulnerability allows attackers to manipulate file upload parameters, which can result in path traversal. This provides an avenue for malicious uploads, enabling remote code execution capabilities. Once compromised, attackers can potentially run commands, exfiltrate sensitive data, or deploy additional malicious payloads for further exploitation.
This vulnerability affects several Struts versions, specifically from 2.0.0 to 2.3.37 (end-of-life), 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2. Importantly, the issue has been patched in Struts version 6.4.0 and later. Organizations running outdated software are encouraged to upgrade promptly to mitigate the associated risks.
Regarding the origin of this vulnerability, Dr. Johannes Ullrich from SANS Technology Institute suggested that the incomplete patch for CVE-2023-50164 could have paved the way for the new exploit. Evidence of exploitation attempts has been observed, targeting systems vulnerable to this newly disclosed flaw. Ullrich noted that current efforts appear focused on identifying vulnerable instances before attempting to locate the maliciously uploaded scripts.
As part of the response strategy, businesses are advised to not only upgrade their Struts installations but also to adapt their code to incorporate the new Action File Upload mechanism, along with the corresponding interceptor to enhance security.
Apache Struts is integral to many business IT infrastructures, facilitating various applications, including public-facing portals and internal productivity tools. Saeed Abbasi, a product manager at Qualys, emphasized that vulnerabilities such as CVE-2024-53677 could have extensive implications given the framework’s pervasiveness in high-stakes environments. Businesses must remain vigilant and proactive in addressing potential security gaps to safeguard their digital assets.
Update
Recent data from attack surface management firm Censys indicates the existence of 13,539 web applications utilizing the Apache Struts framework, with 69% of these located in the United States. However, not all instances may be running a vulnerable version, highlighting the need for continuous monitoring and assessment of security postures.
