A just lately patched crucial Apache Struts 2 vulnerability tracked as CVE-2024-53677 is actively exploited utilizing public proof-of-concept exploits to search out susceptible gadgets.
Apache Struts is an open-source framework for constructing Java-based internet functions utilized by varied organizations, together with authorities businesses, e-commerce platforms, monetary establishments, and airways.
Apache publicly disclosed the Struts CVE-2024-53677 flaw (CVSS 4.0 rating: 9.5, “critical”) six days in the past, stating it’s a bug within the software program’s file add logic, permitting path traversals and the importing of malicious recordsdata that would result in distant code execution.
It impacts Struts 2.0.0 by way of 2.3.37 (end-of-life), 2.5.0 by way of 2.5.33, and 6.0.0 by way of 6.3.0.2.
“An attacker can manipulate file upload parameters to enable paths traversal, and under some circumstances, this can lead to uploading a malicious file which can be used to perform remote code execution,” reads the Apache safety bulletin.
Briefly, CVE-2024-53677 permits attackers to add harmful recordsdata like internet shells into restricted administrators and use them to remotely execute instructions, obtain additional payloads, and steal knowledge.
The vulnerability is just like CVE-2023-50164, and there is hypothesis that the identical situation has re-emerged resulting from an incomplete repair, an issue that has beforehand plagued the undertaking prior to now.
ISC SANS’ researcher Johannes Ullrich reviews seeing exploitation makes an attempt that seem to make use of publicly accessible exploits or are at the least closely impressed by them.
“We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,” reviews Ullrich.
Attackers are enumerating susceptible methods by utilizing the exploit to add an “exploit.jsp” file that accommodates a single line of code to print the “Apache Struts” string.
The exploiter then makes an attempt to entry the script to confirm that the server was efficiently exploited. Ullrich says the exploitation has solely been detected from a single IP tackle, 169.150.226.162.
To mitigate the danger, Apache says customers ought to improve to Struts 6.4.0 or later and migrate to the brand new file add mechanism.
Merely making use of the patch is not sufficient, because the code that handles file uploads in Struts functions must be rewritten to implement the brand new Motion File Add mechanism.
“This variation is not backward appropriate as you need to rewrite your actions to start out utilizing the brand new Motion File Add mechanism and associated interceptor,” warns Apache.
“Keep using the old File Upload mechanism keeps you vulnerable to this attack.”
With energetic exploitation underway, a number of nationwide cybersecurity businesses, together with these in Canada, Australia, and Belgium, have issued public alerts urging impacted software program builders to take quick motion.
Precisely a yr in the past, hackers leveraged publicly accessible exploits to assault susceptible Struts servers and obtain distant code execution.
