Introduction
A critical vulnerability [2] [3] [4] [5] [6] [7] [8] [9] [10], designated as CVE-2024-53677 [1] [2] [3] [4] [5] [6] [9] [10], has been discovered in the Apache Struts application framework [2], which is extensively utilized for web applications. This vulnerability is currently being actively exploited, posing significant risks to affected systems. The flaw impacts multiple versions of Struts, including unsupported versions [9], and has a high CVSS score of 9.5 [8], underscoring its severity [9]. Addressing this vulnerability requires comprehensive remediation efforts beyond standard patching.
Description
A critical vulnerability tracked as CVE-2024-53677 has been identified in the Apache Struts application framework, which is widely used for web applications and currently under active exploitation. This flaw affects multiple versions, including unsupported Struts 2.0.0 to 2.3.37, 2.5.0 to 2.5.33 [9], and Struts 6.0.0 to 6.3.0.2 [4] [6] [8], with a high CVSS score of 9.5 indicating its critical nature [4]. The vulnerability arises from flawed file upload logic in the deprecated File Upload Interceptor, allowing attackers to manipulate upload parameters and perform path traversal attacks [8]. Successful exploitation can lead to arbitrary file uploads into restricted directories, facilitating remote code execution (RCE) [3] [4] [7] [9], data theft [3], and system takeover [3].
The issue is particularly concerning as it also impacts the Identity Manager Management Console within the Identity Governance and Administration Identity Suite software, specifically related to the environmental and roles and task XML import process [1]. Addressing this vulnerability is complicated by the age of the framework, which often requires more than just applying a standard patch [2]. Remediation for CVE-2024-53677 necessitates developers to rewrite all affected file upload code [7], as simply upgrading to a fixed version does not mitigate the risk [7]. The migration to the new Action File Upload mechanism is essential [9], as the legacy file upload logic remains vulnerable and is not backward-compatible.
Chris Wysopal [2], chief security evangelist at Veracode [2], emphasizes that older applications are typically not integrated with modern CI/CD pipelines [2], making the updating of the Struts 2 library and the deployment of new versions of vulnerable applications a labor-intensive process [2]. This increased manual effort can lead to extended periods of vulnerability [2], during which attackers may exploit the weakness [2]. Cybersecurity researchers have observed ongoing exploitation attempts [9], with attackers actively scanning for vulnerable systems [8] [9]. Reports indicate that exploitation has been occurring since late 2023, particularly in relation to CVE-2023-50164, highlighting the ongoing risks associated with outdated frameworks.
While there have been reports of exploitation in the wild [7], the specific payloads used do not appear to be effective against CVE-2024-53677 [7], which poses a high attacker value due to the potential for unauthenticated RCE [7]. However, exploitability is rated low because payloads must be customized for each target application [7]. Wysopal anticipates that the exploitation of this vulnerability will continue for weeks as organizations work to identify and remediate all instances of Struts 2 usage [2].
To mitigate the risk [4] [6] [7] [8] [9], it is essential to refactor file upload endpoints that use the vulnerable File Upload Interceptor to utilize the Action File Upload Interceptor instead [7]. Simply updating to Struts 2 version 6.4.0 or later is insufficient for protection [7], as this version does not address the vulnerability, nor do subsequent 6.x releases as of December 18, 2024 [7]. Exploitation requires knowledge of an upload endpoint that employs a File Upload Interceptor [7], and while black box exploitation is feasible [7], attackers need to understand the specific upload form field names [7]. Each vulnerable application may implement file uploads differently [7], necessitating bespoke payloads for exploitation [7]. Automated payload spraying may occur [7], but threat actors will need to tailor their payloads for each specific target [7]. No patch has been issued for CVE-2024-53677 [7], and the recommended Action File Upload Interceptor does not provide sanitized file names [7], leaving that responsibility to developers [7].
The Cybersecurity and Infrastructure Security Agency (CISA) has included multiple Struts RCE flaws in its Known Exploited Vulnerabilities (KEV) catalog [3], urging organizations to take immediate action to protect their systems from potential compromise [9]. The significant download volume of Struts 2 [3], approximately 300,000 monthly requests [3], indicates a large attack surface [3], making it an attractive target for attackers, reminiscent of the 2017 Equifax breach linked to a similar vulnerability [3]. A proof-of-concept (PoC) exploit has also been made publicly available [3], further emphasizing the urgency for organizations to address this critical vulnerability. Organizations using vulnerable versions [4], particularly in sectors such as government [4], telecommunications [4], finance [4], and e-commerce [4], are at high risk [4]. Efforts are currently underway to evaluate options for addressing or mitigating this vulnerability [1], with updates to be provided as the investigation progresses [1].
Conclusion
The CVE-2024-53677 vulnerability in Apache Struts presents a significant threat due to its potential for remote code execution and system compromise. Mitigation requires a comprehensive approach, including refactoring file upload endpoints and adopting the Action File Upload Interceptor. Organizations must prioritize addressing this vulnerability to prevent exploitation, especially given the high attack surface and the availability of a proof-of-concept exploit. Continued vigilance and proactive measures are essential to safeguard systems against this and similar vulnerabilities in the future.
References
[1] https://knowledge.broadcom.com/external/article/384324/apache-struts-vulnerability-cve202453677.html
[2] https://www.darkreading.com/application-security/actively-exploited-bug-struts-2
[3] https://www.techradar.com/pro/security/a-critical-security-flaw-in-apache-struts-is-under-attack-so-patch-now
[4] https://cyble.com/blog/acsc-warns-of-remote-code-execution-risk-in-apache-struts2/
[5] https://www.heise.de/en/news/Patch-now-Attackers-exploit-critical-security-vulnerability-in-Apache-Struts-10214341.html
[6] https://securityaffairs.com/172109/hacking/apache-struts-vulnerability-cve-2024-53677-flaw.html
[7] https://attackerkb.com/assessments/28f08c0a-702c-4ab0-99cb-eea00202fa2c
[8] https://cybermaterial.com/critical-apache-struts-flaw-enables-rce/
[9] https://www.techmonitor.ai/technology/cybersecurity/hackers-exploit-critical-file-upload-flaw-apache-struts-framework
[10] https://www.secpod.com/blog/security-alert-critical-apache-struts-vulnerability-under-active-exploitation/
