Apache Struts 2 Vulnerability Enables Remote Code Execution
2024-12-13
Learn about the critical importance of patch management and protecting cloud environments from vulnerabilities in widely used software frameworks like Apache Struts 2.
The article discusses a critical remote code execution (RCE) vulnerability in Apache Struts 2 that has been patched. The flaw allows attackers to exploit file upload parameters to execute malicious code remotely, and it has a high severity rating. Apache advises upgrading to version 6.4.0 or later, as there are no workarounds, and applications not using the deprecated File Upload Interceptor are not affected. Users must update to the Action File Upload Interceptor and rewrite actions for compatibility. Despite newer frameworks, Struts 2 remains popular, with substantial download requests, highlighting the urgency of addressing this vulnerability.
Patch Management, Web App/Website Vulnerability, Open Source
Apache Struts 2, CVE-2024-53677, Remote Code Execution, Vulnerability, File Upload Interceptor
CVE-2024-53677; CVE-2023-50164; CVE-2017-5638
Apache Struts 2
Apache has recently addressed a significant security issue in its Struts 2 framework, known for its widespread use in building web applications. The vulnerability, identified as CVE-2024-53677, is a remote code execution (RCE) flaw that poses a severe threat to systems using the software. The vulnerability in Apache Struts 2 allows attackers to exploit file upload parameters, leading to the potential execution of malicious code remotely. This issue is particularly critical because it does not require attackers to have any special privileges, making it easier to exploit. The impact on system confidentiality, integrity, and availability is substantial, with the vulnerability receiving high severity scores: 9.5 by the CVSSv4 framework and 9.8 by CVSSv3. A crucial aspect of this vulnerability is the absence of any available workaround. The only solution is to patch the software by upgrading to Struts 6.4.0 or later. This urgency is underscored by the vulnerability's potential for significant damage, reminiscent of the 2017 Equifax breach, which was linked to a similar Struts flaw. Not all applications using Struts are affected. Specifically, those not utilizing the deprecated File Upload Interceptor component, removed entirely in version 7.0.0, are safe. However, applications still relying on this component must transition to the new Action File Upload Interceptor, introduced in version 6.4.0. Upgrading to the new file upload mechanism involves more than a straightforward update. Users need to rewrite their actions to ensure compatibility with the Action File Upload Interceptor. Despite these challenges, sticking with the old mechanism leaves systems vulnerable to attacks. Despite the availability of newer frameworks, Struts 2 remains widely used, with around 300,000 download requests per month. Alarmingly, 80% of these downloads contained a critical vulnerability similar to CVE-2024-53677. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed eight Apache Struts vulnerabilities in its Known Exploited Vulnerabilities catalog, underscoring the framework's ongoing security challenges.Critical Vulnerability in Apache Struts 2
Understanding the Vulnerability
No Workaround Available
Affected Components
Challenges in Upgrading
Struts 2 Popularity and Prevalence
https://www.theregister.com/2024/12/12/apache_struts_2_vuln/