Source URL: https://www.theregister.com/2024/12/17/critical_rce_apache_struts/
Source: The Register
Title: Critical security hole in Apache Struts under exploit
Feedly Summary: You applied the patch that could stop possible RCE attacks last week, right?
A critical security hole in Apache Struts 2, patched last week, is now being exploited using publicly available proof-of-concept (PoC) code.…
AI Summary and Description: Yes
**Summary:** A significant security vulnerability (CVE-2024-53677) in Apache Struts 2 has been reported, with active exploit attempts ongoing using publicly available proof-of-concept code. This flaw allows attackers to manipulate file upload parameters, possibly leading to remote code execution and significant risks for organizations using vulnerable Struts versions.
**Detailed Description:**
– **Vulnerability Overview:** The critical security hole tracked as CVE-2024-53677 affects various versions of Apache Struts (specifically, versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2) and has received a high risk rating of 9.5 on the CVSS scale.
– **Exploitation Risks:**
– Attackers can exploit this vulnerability to manipulate file upload parameters.
– This manipulation may enable path traversal, allowing the upload of malicious files to restricted directories.
– Under certain conditions, this could result in remote code execution (RCE).
– **Historical Context:** The severity of the vulnerabilities in open-source projects is highlighted by referencing the Equifax breach, which was largely attributed to poor handling of bugs in a similar context.
– **Active Exploitation:** Security experts, including SANS’s dean of research Johannes Ullrich, report that attackers are actively attempting to exploit this vulnerability, trying to identify vulnerable systems using related proof-of-concept code.
– **Recommendations:**
– Users are urged to update to at least version 6.4.0 of Struts immediately to mitigate risks.
– Updating poses challenges for users, as noted in reports, indicating it may not be straightforward.
– **Related Vulnerability:** The new flaw has been linked to a prior vulnerability, CVE-2023-50164, suggesting that an incomplete patch for this earlier issue could have contributed to the emergence of CVE-2024-53677.
**Key Implications for Security Professionals:**
– Organizations deploying applications using Apache Struts need to prioritize patching to fortify their defenses against this actively exploited vulnerability.
– Continuous monitoring and assessment of open-source components within their infrastructure are essential to protect sensitive data and maintain system integrity.
– There is a need for enhanced practices around vulnerability management and response, particularly as interconnected vulnerabilities can create cascading risks in software systems.