High Threat Security Alert (A24-12-13): Vulnerability in Apache Struts

Description:

The Apache Software Foundation has released a security bulletin to address the vulnerability in Apache Struts. A remote attacker could exploit the vulnerability by sending a specially crafted request to the affected systems.

Reports indicated that the proof-of-concept (PoC) for the remote code execution vulnerability (CVE-2024-53677) affecting Apache Struts is publicly available and the vulnerability is being exploited in the wild. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

Affected Systems:

• Apache Struts versions prior to 6.4.0 with the File Upload Interceptor in use

Please note that some versions of Apache Struts have reached End-Of-Life (EOL). No security updates will be provided after that. System administrators should arrange upgrading the Apache Struts to supported versions or migrating to other supported technology.

For detailed information of the affected systems, please refer to the corresponding security bulletin at vendor's website.

Impact:

Successful exploitation of the vulnerability could lead to remote code execution on an affected system.

Recommendation:

Administrators of the affected systems should upgrade the Apache Struts to versions 6.4.0 or above and replace the deprecated File Upload Interceptor with the Action File Upload Interceptor to address the issue. The updates are available at:
https://struts.apache.org/download.cgi

More Information:

• https://cwiki.apache.org/confluence/display/WW/S2-067
• https://www.hkcert.org/security-bulletin/apache-struts-remote-code-execution-vulnerability_20241216
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53677