A essential, cussed new vulnerability in Apache Struts 2 could also be beneath energetic exploitation already, and fixing it is not so simple as downloading a patch.
Struts 2 is an open supply (OSS) framework for constructing Java purposes. Although long gone its prime, Struts 2 stays widespread in older legacy techniques throughout industries. Actually, its prevalence mixed with its agedness is what makes its newly found vulnerability — CVE-2024-53677, CVSS 9.5 — so tough. As its parts have withered, and newer applied sciences and safety practices have moved on, fixing any newly arising points like this may require extra than simply an ordinary patch.
“The danger lies in the truth that older purposes are much less prone to be built-in with a contemporary CI/CD pipeline,” explains Chris Wysopal, chief safety evangelist at Veracode. “Because of this, updating the Struts 2 library, constructing and deploying a brand new model of a susceptible utility requires extra guide effort and takes considerably longer. This important effort will lead to an extended window of vulnerability, throughout which attackers might exploit and reap the benefits of this weak point.”
He assesses that “It’s possible that we’ll see the exploitation of this vulnerability for weeks as organizations discover and repair all situations of Struts 2 utilization.”
RCE Bug in Apache Struts 2
This similar time final 12 months, almost to the day, a Struts 2 vulnerability with a “essential” 9.8 rating within the Widespread Vulnerability Scoring System (CVSS) was disclosed to the general public. CVE-2023-50164 resulted from attackers’ capacity to govern file add parameters, opening the door to path traversal. Below sure situations an attacker may add a specifically crafted malicious script so as to obtain distant code execution (RCE) on a server.
CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2’s File Add Interceptor element, accountable for dealing with file uploads, and permits RCE through path traversal. In a weblog put up, Johannes Ullrich of the SANS Institute speculated that an insufficient patch for CVE-2023-50164 led to this newest deja vu.
He additionally noticed energetic exploitation makes an attempt from one IP tackle, which utilized a public proof-of-concept (PoC). The attacker performed with the vulnerability by importing “a one-liner script that’s alleged to return ‘Apache Struts.’ Subsequent, the attacker makes an attempt to search out the uploaded script. The exploit try could be very near the unique PoC. Since then, a barely improved exploit has been uploaded to the identical GitHub repository,” he wrote.
Usually in conditions equivalent to this, organizations are suggested to use patches as quickly as potential. Within the case of CVE-2024-53677, the story is not fairly as easy.
Organizations do must improve to the newest model of Struts, 6.7.0 — or, a minimum of, 6.4.0, launched within the wake of CVE-2023-50164, which deprecated the File Add Interceptor at challenge. The repair is not backwards suitable, nonetheless, Apache famous in its safety bulletin. IT groups might want to migrate to the newfangled Motion File Add Interceptor, and regulate how their current purposes deal with file uploads by diligently rewriting their code to utilize it.
“It isn’t a easy model bump,” warns Saeed Abbasi, supervisor of vulnerability analysis at Qualys. “It requires code rewrites, configuration changes, and might break current logic and dependencies. In advanced environments, eradicating all traces of the legacy interceptor poses important challenges as a consequence of intricate plugin chains and layered frameworks. This complexity is additional compounded by the necessity for in depth regression testing.”
The Potential Scope of Impression for CVE-2024-53677
The nationwide facilities for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all launched pressing safety warnings concerning CVE-2024-53677. That this challenge has attracted a lot consideration might not be apparent at first, since Struts 2 is so not often utilized by builders in the present day. It does, nonetheless, dwell on in legacy techniques worldwide.
Within the 2000s, Struts 2 was king amongst Java Internet frameworks. By 2007 it was receiving almost 350,000 downloads per 30 days. Its webpage acquired hundreds of thousands of month-to-month visits, even its e-newsletter had hundreds of subscribers. At present, Wysopal says, “It now not has mainstream enchantment and is never chosen for brand spanking new initiatives. Its presence is extra an artifact of historic adoption slightly than energetic recognition.”
“Its ‘kingdom’ is confined to these secure, older purposes in conservative industries — significantly finance, insurance coverage, authorities, and large-scale manufacturing or logistics — usually in organizations and areas which are regulated and fewer prone to modernize,” he says. Living proof: a Struts 2 vulnerability was on the coronary heart of the notorious 2017 Equifax breach.
Simply how widespread is Struts 2 in legacy techniques in 2024? Abbasi reviews that throughout the first 24 hours following the disclosure of CVE-2024-53677, Qualys “noticed tens of hundreds of susceptible situations, reflecting the breadth and urgency of the problem.”
To his view, “The persistence of Struts 2 in essential techniques, lengthy after safer frameworks have emerged, illustrates the continued wrestle enterprises face with technical debt. Many organizations run variations of Struts previous their end-of-life, with out correct planning which compounds the influence of latest vulnerabilities. Enterprises want stable assault floor administration, together with lifecycle administration methods, making certain that essential frameworks are often up to date, and deprecated parts are swiftly phased out.”
