New critical Apache Struts flaw exploited to find vulnerable servers

December 18, 2024

Apache

A recently patched critical Apache Struts 2 vulnerability tracked as CVE-2024-53677 is actively exploited using public proof-of-concept exploits to find vulnerable devices.

Apache Struts is an open-source framework for building Java-based web applications used by various organizations, including government agencies, e-commerce platforms, financial institutions, and airlines.

Apache publicly disclosed the Struts CVE-2024-53677 flaw (CVSS 4.0 score: 9.5, "critical") six days ago, stating it is a bug in the software's file upload logic, allowing path traversals and the uploading of malicious files that could lead to remote code execution.

It impacts Struts 2.0.0 through 2.3.37 (end-of-life), 2.5.0 through 2.5.33, and 6.0.0 through 6.3.0.2.

"An attacker can manipulate file upload parameters to enable paths traversal, and under some circumstances, this can lead to uploading a malicious file which can be used to perform remote code execution," reads the Apache security bulletin.

In short, CVE-2024-53677 allows attackers to upload dangerous files like web shells into restricted directors and use them to remotely execute commands, download further payloads, and steal data.

The vulnerability is similar to CVE-2023-50164, and there's speculation that the same issue has re-emerged due to an incomplete fix, a problem that has previously plagued the project in the past.

ISC SANS' researcher Johannes Ullrich reports seeing exploitation attempts that appear to use publicly available exploits or are at least heavily inspired by them.

"We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems," reports Ullrich.

Attackers are enumerating vulnerable systems by using the exploit to upload an "exploit.jsp" file that contains a single line of code to print the "Apache Struts" string.

The exploiter then attempts to access the script to verify that the server was successfully exploited. Ullrich says the exploitation has only been detected from a single IP address, 169.150.226.162.

To mitigate the risk, Apache says users should upgrade to Struts 6.4.0 or later and migrate to the new file upload mechanism.

Merely applying the patch isn't enough, as the code that handles file uploads in Struts applications needs to be rewritten to implement the new Action File Upload mechanism.

"This change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor," warns Apache.

"Keep using the old File Upload mechanism keeps you vulnerable to this attack."

With active exploitation underway, multiple national cybersecurity agencies, including those in Canada, Australia, and Belgium, have issued public alerts urging impacted software developers to take immediate action.

Exactly a year ago, hackers leveraged publicly available exploits to attack vulnerable Struts servers and achieve remote code execution.