News: 1734472634

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Critical security hole in Apache Struts under exploit

(2024/12/17)


A critical security hole in Apache Struts 2, patched last week, is now being exploited using publicly available proof-of-concept (PoC) code.

Struts is a Java-based web application framework widely used by large enterprises and government agencies. Bugs in this open-source project do not tend to end well — remember the [1]"entirely preventable" Equifax breach in 2017?

The flaw is tracked as [2]CVE-2024-53677 , it received a 9.5 out of 10 CVSS risk rating, and it affects Struts versions 2.0.0 to 2.3.37 (end-of-life), 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2.

[3]

Applications that don't use Struts' File Upload Interceptor component, which was deprecated in version 6.4.0 and removed entirely in 7.0.0, are safe.

[4]

[5]

Attackers can exploit this bug to manipulate file upload parameters and enable path traversal. This can be abused to upload malicious files into restricted directories and can lead to remote code execution (RCE) under certain conditions.

As security intelligence and automation vendor Qualys [6]warned in its advisory, “a vulnerability like CVE-2024-53677 could have far-reaching implications" such as loss of sensitive data, complete system compromise.

[7]

And now, according to infosec education outfit SANS’s dean of research Johannes Ullrich, attackers are actively trying to exploit this vulnerability using [8]this POC code .

[9]Apache issues patches for critical Struts 2 RCE bug

[10]Four in five Apache Struts 2 downloads are for versions featuring critical flaw

[11]Equifax scores £11.1M slap on wrist over 2017 mega breach

[12]Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

"At this point, the exploit attempts are attempting to enumerate vulnerable systems," Ullrich [13]noted .

Or at least, the exploit attempts are "inspired" by this bug as there are at least two vulnerabilities that could be targeted using this code, he added.

Regardless, we'd highly suggest users update to at least Struts 6.4.0 (or the latest version) immediately. However, as The Register [14]reported last week, that’s not a simple job. Here's what Apache [15]advised in its December 12 disclosure:

This change isn't backward compatible as you must rewrite your actions to start using the new [16]Action File Upload mechanism and related interceptor. Keep using the old File Upload mechanism keeps you vulnerable to this attack.

As Ullrich also pointed out: the new vulnerability, CVE-2024-53677, seems to be related to [17]CVE-2023-50164 , which Apache fixed in December 2023. "The older vulnerability is similar," he said, "and an incomplete patch may have led to the newer issue." ®

Get our [18]Tech Resources



[1] https://www.theregister.com/2023/10/13/equifax_fca_fine/

[2] https://nvd.nist.gov/vuln/detail/CVE-2024-53677

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z2ICkdJudNbAEDmQc2xDCAAAAAE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z2ICkdJudNbAEDmQc2xDCAAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z2ICkdJudNbAEDmQc2xDCAAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://blog.qualys.com/vulnerabilities-threat-research/2024/12/16/critical-apache-struts-file-upload-vulnerability-cve-2024-53677-risks-implications-and-enterprise-countermeasures

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z2ICkdJudNbAEDmQc2xDCAAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://github.com/TAM-K592/CVE-2024-53677-S2-067

[9] https://www.theregister.com/2024/12/12/apache_struts_2_vuln/

[10] https://www.theregister.com/2023/12/21/apache_struts_vulnerable_downloads/

[11] https://www.theregister.com/2023/10/13/equifax_fca_fine/

[12] https://www.theregister.com/2024/12/16/ransomware_attacks_exploit_cleo_bug/

[13] https://isc.sans.edu/diary/Exploit+attempts+inspired+by+recent+Struts2+File+Upload+Vulnerability+CVE202453677+CVE202350164/31520

[14] https://www.theregister.com/2024/12/12/apache_struts_2_vuln/

[15] https://cwiki.apache.org/confluence/display/WW/S2-067

[16] https://struts.apache.org/core-developers/action-file-upload

[17] https://www.theregister.com/2023/12/21/apache_struts_vulnerable_downloads/

[18] https://whitepapers.theregister.com/



Deja vu all over again.

OllieJones

Please, people, please get ahead of this one. If you need executive permission, funding, or time to get it done, just say "Equifax".

Re: Deja vu all over again.

IGotOut

And the C-Suite will go "And what happened to them? Ooo a fine, how scary. We'll let accounts know to put a fraction of a percentage of or profits to one side, you know, just in case"

Nice guys get sick.