A critical security hole in Apache Struts 2, patched last week, is now being exploited using publicly available proof-of-concept (PoC) code.

Struts is a Java-based web application framework widely used by large enterprises and government agencies. Bugs in this open-source project do not tend to end well — remember the "entirely preventable" Equifax breach in 2017?

The flaw is tracked as CVE-2024-53677, it received a 9.5 out of 10 CVSS risk rating, and it affects Struts versions 2.0.0 to 2.3.37 (end-of-life), 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2.

Applications that don't use Struts' File Upload Interceptor component, which was deprecated in version 6.4.0 and removed entirely in 7.0.0, are safe.

Attackers can exploit this bug to manipulate file upload parameters and enable path traversal. This can be abused to upload malicious files into restricted directories and can lead to remote code execution (RCE) under certain conditions.

As security intelligence and automation vendor Qualys warned in its advisory, “a vulnerability like CVE-2024-53677 could have far-reaching implications" such as loss of sensitive data, complete system compromise.

And now, according to infosec education outfit SANS’s dean of research Johannes Ullrich, attackers are actively trying to exploit this vulnerability using this POC code.

"At this point, the exploit attempts are attempting to enumerate vulnerable systems," Ullrich noted.

Or at least, the exploit attempts are "inspired" by this bug as there are at least two vulnerabilities that could be targeted using this code, he added.

Regardless, we'd highly suggest users update to at least Struts 6.4.0 (or the latest version) immediately. However, as The Register reported last week, that’s not a simple job. Here's what Apache advised in its December 12 disclosure:

As Ullrich also pointed out: the new vulnerability, CVE-2024-53677, seems to be related to CVE-2023-50164, which Apache fixed in December 2023. "The older vulnerability is similar," he said, "and an incomplete patch may have led to the newer issue." ®

https://www.theregister.com//2024/12/17/critical_rce_apache_struts/