The Apache Software Foundation (ASF) has issued a security update to address a critical vulnerability in both end-of-life and current versions of Apache Struts 2. Under specific conditions, this vulnerability could lead to remote code execution (RCE). Review this Cybersecurity Threat Advisory to learn about this critical vulnerability and how to protect your infrastructure.
What is the threat?
Apache disclosed a critical vulnerability in Apache Struts (tracked as CVE-2024-53677 with a CVSS score of 9.5), a popular Java-based web application framework. The vulnerability is found in Struts’ file upload mechanism, affecting versions Struts 2.0.0 through 2.3.37 (end-of-life), Struts 2.5.0 through 2.5.33, and Struts 6.0.0 through 6.3.0.2. Attackers can exploit file upload parameters to perform path traversal, enabling them to upload malicious files into restricted directories. In certain scenarios, this flaw could result in remote code execution, allowing unauthorized actors to execute arbitrary code, exfiltrate sensitive data, or fully compromise systems.
Why is this noteworthy?
Apache Struts is central to many corporate IT infrastructures, powering public-facing portals, internal productivity tools, and critical business operations. Known for its robust architecture, advanced data validation features, and smooth integration with other technologies, often used in large-scale, mission-critical applications. These attributes underscore the importance of addressing newly identified security risks promptly.
What is the exposure or risk?
CVE-2024-53677 presents a significant challenge, amplifying the risks associated with the vulnerability. Transitioning to a new file upload interceptor extends the exposure window, requiring upgrading the component and modifying related code. Organizations that continue using the outdated file upload mechanism will remain vulnerable. These delays can be disastrous for those unprepared to identify and address affected systems throughout their entire software stack.
Three factors make CVE-2024-53677 especially concerning:
- The vulnerability is easily automatable, making it simpler for threat actors to conduct large-scale exploitation campaigns.
- Struts2 continues to be widely used in enterprise environments, leaving hundreds of thousands of systems vulnerable.
- The holiday season often results in reduced staffing and slower response times, providing an ideal opportunity for successful exploitation.
What are the recommendations?
Barracuda recommends the following actions to protect your environment against this vulnerability:
- Maintain an up-to-date software bill of materials (SBOM) to identify dependencies on Struts2.
- Use software composition analysis (SCA) tools to pinpoint affected and vulnerable components.
- Implement Apache’s recommended fixes and transition to the new Action File Upload mechanism.
- Conduct tabletop exercises to ensure readiness for future incidents.
References
For more in-depth information, please visit the following links:
- https://www.sonatype.com/blog/cve-2024-53677-a-critical-file-upload-vulnerability-in-apache-struts2
- https://blog.qualys.com/vulnerabilities-threat-research/2024/12/16/critical-apache-struts-file-upload-vulnerability-cve-2024-53677-risks-implications-and-enterprise-countermeasures
- https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.