Path Traversal and Malicious File Upload Flaw Potentially Exploitable
A serious vulnerability in Apache Struts 2, tracked as CVE-2024-53677 with a CVSS 4.0 score of 9.5, has drawn attention from cybersecurity experts and organizations worldwide. The flaw resides in the framework’s file upload logic and can enable path traversal and malicious file uploads, potentially leading to remote code execution on affected systems.
The Challenge of Mitigating the Risk
Applying the available patch is no straightforward task. The Apache team has cautioned system administrators that the update is not backward-compatible. "You must rewrite your actions to utilize the new Action File Upload mechanism and associated interceptor," Apache warned. "Continuing to use the old File Upload mechanism leaves your systems exposed to this attack."
This requirement for significant reconfiguration could leave many systems vulnerable as organizations struggle to implement the changes.
Exploitation Attempts Observed
Johannes Ullrich, Dean of Research at the SANS Institute, reported active attempts to exploit the vulnerability using publicly available proof-of-concept (PoC) code. "Attackers are uploading an 'exploit.jsp' file, which they use to identify vulnerable systems. The presence of the exploit.jsp file confirms the system is running Apache Struts," Ullrich explained.
While these observations are concerning, the extent of successful exploitation remains under debate.
Conflicting Perspectives on Threat Severity
Security researcher Kevin Beaumont has called for measured responses, suggesting that reports of widespread exploitation are overstated. Posting on Mastodon, Beaumont noted that while attackers may be attempting to exploit the flaw, their efforts are unlikely to succeed without additional steps.
"The PoC code isn't functional as-is," Beaumont explained. "Attackers are essentially 'spraying and praying.' Exploitation would require a deliberately vulnerable web application and custom tailoring of the proof of concept to fit that specific environment."
Urgent Calls for Action from National Authorities
Despite the challenges in successful exploitation, national cybersecurity agencies in Canada, Australia, and Belgium have issued advisories urging organizations to act immediately. These alerts emphasize the importance of assessing systems for vulnerabilities and applying patches or mitigations as soon as possible.
What This Means for Organizations
The Apache Struts vulnerability highlights the ongoing challenges of securing widely used frameworks against increasingly sophisticated attacks. Organizations relying on Apache Struts must prioritize identifying and mitigating this vulnerability, even if applying the patch requires significant effort.
While some researchers downplay the likelihood of widespread exploitation, the active attempts reported underscore the importance of proactive defenses. Organizations are encouraged to stay vigilant, monitor official guidance, and ensure their systems are protected against potential exploits.
0 Comments