Vulnerable U
Posts
Apache Struts 2 Bug Under Attack

Apache Struts 2 Bug Under Attack

CVE-2024-53677 can lead to remote code execution

Newsroom
December 16, 2024

Researchers have begun seeing exploit attempts against a critical vulnerability in the Apache Struts 2 framework that can enable an adversary to upload a malicious file to a target system. The weakness may be related to an older bug, and though the Apache Software Foundation released a fix for the newer flaw in late November, the patch has some limitations.

CVE: CVE-2024-53677

Why It Matters: Struts 2 is a widely used web application framework that’s used in a broad range of environments around the world. The vulnerability is a flaw in the logic that Struts2 uses for file uploads and an attacker who’s able to exploit it would be able to gain remote code execution in some cases. There is proof-of-concept exploit code publicly available, and researchers from the SANS Institute have identified active attempts to exploit it.

Key Details

The vulnerability affects Struts2 2.0.0 - Struts 2.3.37 and Struts 2.5.0 - Struts 2.5.33, Struts 6.0.0 - Struts 6.3.0.2
“The vulnerability, CVE-2024-53677, appears to be related to CVE-2023-50164. The older vulnerability is similar, and an incomplete patch may have led to the newer issue. PoC exploits have been released (see, for example, [2]). And we are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,” the SANS analysis says.
The patch for the vulnerability is not backward-compatible “as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor”, according to the ASF.
There is no workaround for this bug

Exploitation: The exploit attempts are coming from one specific IP address at the moment: 169.150.226.162. “This attempt uploads a one-liner script that is supposed to return ‘Apache Struts’. Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository,” the SANS blog says.