Full Report
Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution. The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS
Analysis Summary
# Vulnerability: Critical Remote Code Execution in Apache Struts via File Upload Manipulation
## CVE Details
- CVE ID: CVE-2024-53677
- CVSS Score: 9.5 (Critical)
- CWE: Not explicitly mentioned, but implies Improper Input Validation/Path Traversal.
## Affected Systems
- Products: Apache Struts
- Versions:
- Struts 2.0.0 - Struts 2.3.37 (End-of-Life)
- Struts 2.5.0 - Struts 2.5.33
- Struts 6.0.0 - Struts 6.3.0.2
- Configurations: Systems using the affected versions of the Apache Struts framework.
## Vulnerability Description
The vulnerability is a path traversal flaw that can be triggered by manipulating file upload parameters. A successful exploit allows an attacker to upload an arbitrary malicious file to a susceptible instance. This uploaded file can then be leveraged to achieve Remote Code Execution (RCE), allowing the attacker to run system commands, exfiltrate data, or download further malicious payloads. This issue may be related to an incomplete patch for CVE-2023-50164.
## Exploitation
- Status: Exploitation attempts detected in the wild. PoC code is publicly released.
- Complexity: Low (based on the nature of file upload/path traversal RCEs and detection of active scanning).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Potential for data exfiltration via RCE)
- Integrity: High (Ability to execute arbitrary code)
- Availability: High (Potential for system compromise/disruption via RCE)
## Remediation
### Patches
- Upgrade to Apache Struts version **6.4.0 or greater**.
### Workarounds
- Rewrite existing code to use the new **Action File Upload mechanism** and related interceptor provided by Apache Struts.
## Detection
- **Indicators of Compromise (IOCs):** Monitoring for file upload requests attempting path traversal sequences. Detection efforts noted scanning requests originating from IP address `169.150.226.162` attempting to upload a script and subsequently enumerate vulnerable systems.
- **Detection Methods and Tools:** Security monitoring should focus on outgoing/incoming HTTP traffic related to file uploads, looking for techniques used in path traversal payloads.
## References
- Vendor Advisories: [https://cwiki.apache.org/confluence/display/WW/S2-067](https://cwiki.apache.org/confluence/display/WW/S2-067)
- Related Vulnerability CVE-2023-50164: [https://nvd.nist.gov/vuln/detail/CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164)
- Public PoC Repository: [https://github.com/TAM-K592/CVE-2024-53677-S2-067](https://github.com/TAM-K592/CVE-2024-53677-S2-067)
- SANS Diary Entry: [https://isc.sans.edu/diary/31520](https://isc.sans.edu/diary/31520)