A critical security flaw in Apache Struts is under attack, so patch now

News
By
published

A bug was found allowing threat actors to run arbitrary code remotely

A digital representation of a lock
(Image credit: Altalex)
  • Security researchers warn an Apache Struts 2 flaw is being actively exploited
  • The attack surface is relatively big, with companies worldwide possible affected
  • A patch is available, and users are urged to apply it

A critical vulnerability in the Apache Struts 2 application framework is now under active exploitation, security researchers have warned, urging users to apply the patch or run the latest version as soon as possible.

Apache Struts 2 is an open source web application framework for developing Java-based web applications. It aims to simplify the creation of interactive web applications and is often used by large enterprises and government agencies.

Apache recently reported finding a “file upload logic” flaw in versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2. Versions 6.4.0 and 7.0.0 were deemed safe. The bug is tracked as CVE-2024-53677, and has a severity score of 9.5/10 (critical), since it can be used to manipulate upload parameters, and thus enable path traversal. As a result, malicious actors can upload arbitrary files into restricted directories, enabling remote code execution (RCE), and thus data theft and system takeover.

Patching the flaw

Apache has released a patch for the flaw, but at the same time, a proof-of-concept (PoC) exploit was made publicly available.

The bare minimum users should do is upgrade to version 6.4.0, since this one does not use the flawed Struts' File Upload Interceptor component.

In their writeup, cybersecurity researchers from Vulcan stressed Apache Struts flaws were “prime targets for attackers”, reminding their readers about the Equifax breach from 2017, which was attributed to a similar flaw. They also said that Struts 2 has significant download volume - roughly 300,000 monthly requests - meaning the attack surface is quite large.

Finally, they said CISA already added multiple Struts RCE flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Via The Register

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.