CVE-2024-53677 (CVSS 9.5): Critical Vulnerability in Apache Struts Allows Remote Code Execution
Developers using the popular Apache Struts framework are urged to update their systems immediately following the discovery of a critical security flaw (CVE-2024-53677, CVSS 9.5) that could allow attackers to execute malicious code remotely.
This vulnerability, reminiscent of the infamous S2-066 exploit, resides in the file upload logic of Apache Struts versions 2.0.0 through 2.5.33 and 6.0.0 through 6.3.0.2. By manipulating file upload parameters, attackers can exploit path traversal vulnerabilities, potentially leading to the upload and execution of malicious files.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution,” warns the official security advisory.
The impact of successful exploitation could be severe, ranging from data breaches and system compromise to complete takeover of the affected server. Organizations utilizing Apache Struts in their web applications are strongly advised to take immediate action to mitigate this risk.
Fortunately, the Apache Struts team has addressed this vulnerability in version 6.4.0 and later. However, the fix requires developers to migrate to a new file upload mechanism, meaning upgrading to the latest version is not simply a drop-in solution.
“This change isn’t backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor,” the advisory explains. “Keep using the old File Upload mechanism keeps you vulnerable to this attack.”
This mandatory code modification might pose challenges for some developers, potentially delaying the patching process and leaving systems exposed to attacks. Therefore, it is crucial to prioritize this update and allocate the necessary resources to ensure a swift and complete migration to the secure version of Apache Struts.
By promptly addressing this vulnerability, organizations can significantly reduce their risk of falling victim to attacks exploiting CVE-2024-53677.