Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

A critical security flaw in Apache Struts is under attack, so patch now

A digital representation of a lock.

  • Security researchers warn an Apache Struts 2 flaw is being actively exploited
  • The attack surface is relatively big, with companies worldwide possible affected
  • A patch is available, and users are urged to apply it

A critical vulnerability in the Apache Struts 2 application framework is now under active exploitation, security researchers have warned, urging users to apply the patch or run the latest version as soon as possible.

Apache Struts 2 is an open source web application framework for developing Java-based web applications. It aims to simplify the creation of interactive web applications and is often used by large enterprises and government agencies.

Apache recently reported finding a “file upload logic” flaw in versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2. Versions 6.4.0 and 7.0.0 were deemed safe. The bug is tracked as CVE-2024-53677, and has a severity score of 9.5/10 (critical), since it can be used to manipulate upload parameters, and thus enable path traversal. As a result, malicious actors can upload arbitrary files into restricted directories, enabling remote code execution (RCE), and thus data theft and system takeover.

Patching the flaw

Apache has released a patch for the flaw, but at the same time, a proof-of-concept (PoC) exploit was made publicly available.

The bare minimum users should do is upgrade to version 6.4.0, since this one does not use the flawed Struts' File Upload Interceptor component.

In their writeup, cybersecurity researchers from Vulcan stressed Apache Struts flaws were “prime targets for attackers”, reminding their readers about the Equifax breach from 2017, which was attributed to a similar flaw. They also said that Struts 2 has significant download volume - roughly 300,000 monthly requests - meaning the attack surface is quite large.

Finally, they said CISA already added multiple Struts RCE flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Via The Register

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.