Overview

A critical severity vulnerability in Apache Struts with a CVSS version 4.0 score of 9.5 has been reported under CVE-2024-53677.

A flaw in the file upload logic of Apache Struts can allow attackers to manipulate file upload parameters to enable path traversal, thus potentially allowing them to upload files to restricted directories or perform Remote Code Execution.

Impact

This vulnerability can be exploited to allow an attacker to upload malicious payloads which could then be used to run malicious commands, download additional malicious packages, or access and exfiltrate confidential data.

Vulnerability Detection

Apache has released a security update addressing the security flaw. Struts 2.0.0 through Struts 2.3.37 (EOL), Struts 2.5.0 through Struts 2.5.33 (EOL), and Struts 6.0.0 through Struts 6.3.0.2 are affected if using File Upload Interceptor.

Exploitation

Multiple instances of malicious activity matching the publicly available Proof of Concept have been reported.

Containment, Mitigations & Remediations

We recommend all users of vulnerable versions update to Struts 6.4.0 or later and migrate from File Upload Interceptor to the newer Action File Upload ASAP.

Please note that Action File Upload is not backwards compatible with your old actions written for File Upload Interceptor, and these will need to be rewritten, however continuing to use File Upload Interceptor will leave you vulnerable to this attack.

There is no known workaround at this time.

Threat Landscape

Apache Struts is a free, open-source web framework for developing Java web applications. It is integral to many corporate IT systems, used in public-facing portals, internal productivity tools, and many business-critical processes. Due to its widespread use in crucial environment exploitation could have significant and far-reaching consequences.

Tactics, Techniques and Procedures

Persistence:

• Hijack Execution Flow: Services File Permissions Weakness – T1574.010

Credential Access:

• Unsecured Credentials: Credentials In Files, Sub-technique T1552.001 – Enterprise | MITRE ATT&CK®

Collection:

• Automated Collection – T1119
• Data from Network Shared Drive – T1039

Further Information

• Security Advisory