Apache has revealed a critical vulnerability in Apache Struts, a widely utilized Java-based web application framework. The vulnerability tracked as CVE-2024-53677 has a CVSS Score of 9.5 out of 10, indicating critical severity.
Struts is a key component in many enterprise environments, valued for its strong architecture, comprehensive data validation features, and smooth integration with other technologies. These attributes make Struts a popular choice for large-scale, mission-critical applications, amplifying the importance of the recently discovered security threat.
Impact
According to Apache advisory, “An attacker can exploit file upload parameters to enable path traversal, and in certain cases, this could allow the upload of a malicious file that may be used for Remote Code Execution.” A similar problem was detected in another critical vulnerability last December (CVE-2023-50164), which also came under active exploitation shortly after public disclosure.
Products Affected
The bug affects the following versions, and it has already been patched in Strut 6.4.0 or greater:
- Struts 6.0.0 through Struts 6.3.0.2 (EOL)
- Struts 2.0.0 through Struts 2.3.37 (EOL)
- Struts 2.5.0 through Struts 2.5.33
Solution
Upgrade to Struts 6.4.0 or greater and use Action File Upload Interceptor. Keeping the old file upload interceptor will keep the user vulnerable to the attack.
Due to its wide-spread use, we highly recommend you update your devices.
Instantly Fix Risks with SanerNow Patch Management
SanerNow Patch Management is a continuous, automated, and integrated platform that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.