CVE-2024-53677 could allow unauthenticated remote code execution, path traversal or upload of malicious files

Threat ID:CC-4592

Threat Severity:Medium

Published:17 December 2024 2:31 PM

Summary

Affected platforms

The following platforms are known to be affected:

Apache Struts 2

2.0.0 to 2.3.37 (End-of-life)

2.5.0 to 2.5.33

6.0.0 to 6.3.0.2

Applications not using FileUploadInterceptor not vulnerable.

Threat details

End-of-life versions and new file upload mechanism

Apache has stated Struts versions 2.0.0 through 2.3.37 are end-of-life (EOL) and are no longer supported.

CVE-2024-53677 is a vulnerability in the File Upload Interceptor, and as of Struts version 6.4.0 this interceptor has been deprecated, and removed entirely in version 7.0.0. Applications not using File Upload Interceptor are not considered vulnerable. Apache advises organisations upgrading to the latest version of Struts must also rewrite applications to replace the File Upload Interceptor with the new file upload mechanism in order to fully remediate.

Introduction

Apache has released a security bulletin addressing a critical vulnerability in Apache Struts 2. Apache Struts is an open-source model-view-controller (MVC) framework for creating Java web applications.

CVE-2024-53677 is a 'Unrestricted Upload of File with Dangerous Type' vulnerability and has a CVSSv4 score of 9.5. This vulnerability exists in the File Upload Interceptor, which allows developers easy access to file upload support. If CVE-2024-53677 is exploited, a remote unauthenticated attacker could traverse system paths, upload malicious files and perform remote code execution (RCE).

Proof-of-Concept code released for CVE-2024-53677

A public proof-of-concept is available for CVE-2024-53677. Exploitation is considered more likely.

Remediation advice

Affected organisations are encouraged to review the Apache security bulletin S2-067, upgrade to Apache Struts version 6.4.0 or higher, and migrate to the new file upload mechanism for continued functionality.

Remediation steps


Patch	Upgrade Apache Struts to version 6.4.0 or higher. https://cwiki.apache.org/confluence/display/WW/S2-067
Action	For continued file upload functionality organisations must migrate from the File Upload Interceptor (deprecated as of Struts 6.4.0) to the new Action File Upload Interceptor (available since Struts 6.4.0). NOTE: Apache states 'this change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Using the old File Upload mechanism keeps you vulnerable to this attack.' https://struts.apache.org/core-developers/action-file-upload-interceptor

Patch

Upgrade Apache Struts to version 6.4.0 or higher.

https://cwiki.apache.org/confluence/display/WW/S2-067

Action

For continued file upload functionality organisations must migrate from the File Upload Interceptor (deprecated as of Struts 6.4.0) to the new Action File Upload Interceptor (available since Struts 6.4.0).

NOTE: Apache states 'this change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Using the old File Upload mechanism keeps you vulnerable to this attack.'

https://struts.apache.org/core-developers/action-file-upload-interceptor

Definitive source of threat updates

https://cwiki.apache.org/confluence/display/WW/S2-067

CVE Vulnerabilities

StatusPublished

CVE-2024-53677File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

Last edited: 17 December 2024 2:31 pm