www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITY IN APACHE STRUTS, CVE-2024-53677 CAN LEAD TO RCE, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-291
Version: 
2.0
Affected software: 
Apache Struts from 2.0.0 before 6.4.0
Type: 
Path traversal
CVE/CVSS: 

CVE-2024-53677 / CVSS 9.5 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red)

Sources

Apache Struts Security Bulletin: https://cwiki.apache.org/confluence/display/WW/S2-067

Sans Internet Storm Center: https://isc.sans.edu/diary/31520

CCB:

Risks

A critical vulnerability (CVE-2024-53677) has been identified in Apache Struts 2, a widely-used Java framework for building web applications. This flaw allows attackers to exploit file upload logic through path traversal, enabling remote code execution (RCE).

Given the potential for remote code execution, this vulnerability poses a significant risk to the confidentiality, integrity, and availability (CIA triad) of systems relying on Struts 2. Systems compromised through this vulnerability could suffer severe downtime, unauthorized data access, or control by malicious actors.

This vulnerability is particularly concerning because it can be exploited remotely without user interaction. Organizations utilizing affected Struts 2 versions should urgently assess and mitigate this risk to prevent exploitation and potential disruption.

Update 2024-12-16: PoC exploits have been released and active exploit attempts have been observed that match the PoC exploit code. Also, CVE-2024-53677 appears to be related to a similar, but older, vulnerability CVE-2023-50164 which may not have been completely patched (see: CCB advisory #2023-148 dd 2023-12-11).

Description

The vulnerability stems from flawed logic in the file upload mechanism, allowing attackers to manipulate file upload parameters and conduct path traversal attacks. Under specific circumstances, this flaw enables the upload of malicious files that can execute arbitrary code on the target server. This can enable attackers to take control remotely.

Key Note: Applications not using the FileUploadInterceptor are not vulnerable.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends upgrading to Struts 6.4.0 or greater with the highest priority, and to migrate to the new file upload mechanism as mentioned in Apache’s security bulletin.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53677