Apache reports critical remote code execution flaw in Struts 2
Take action: If you are using Apache Struts, either disable FileUploadInterceptor, or do the right thing and patch your Struts installation. It won't be easy, but ignoring this advisory will guarantee you are hacked. And don't delay, because hackers are actively attacking this flaw. Just like Equifax was.
Learn More
Apache has disclosed a critical remote code execution (RCE) vulnerability tracked as CVE-2024-53677 (CVSS score 9.8) affecting multiple versions of Apache Struts 2. The vulnerability stems from a flaw in the file upload logic that allows attackers to perform path traversal attacks, potentially leading to the upload of malicious files and subsequent remote code execution on affected systems. Active attacks have been detected exploiting this flaw.
Affected Versions:
- Struts 2.0.0 through Struts 2.3.37 (End of Life)
- Struts 2.5.0 through Struts 2.5.33
- Struts 6.0.0 through Struts 6.3.0.2
Applications not using the FileUploadInterceptor component are not vulnerable to this attack. The FileUploadInterceptor was deprecated in version 6.4.0 and completely removed in version 7.0.0.
The vulnerability doesn't require privileges to exploit, and there are no workarounds available - patching is the only solution
The remediation requires upgrading to Struts 6.4.0 or later versions and migrating to the new Action File Upload mechanism. This upgrade process is not straightforward as it requires rewriting actions to ensure compatibility with the new file upload mechanism. However, continuing to use the old File Upload mechanism leaves systems vulnerable to attack.
Update - as of 17th of December 2024,active attacks have been detected exploiting this flaw. Admins should install the secured version immediately
Apache has witheld detailed information to allow customers time to upgrade to safe versions. This approach was likely influenced by the historical context of the 2017 Equifax breach, which was caused by a similar Struts vulnerability.
