A vital, cussed new vulnerability in Apache Struts 2 could also be below energetic exploitation already, and fixing it is not so simple as downloading a patch.
Struts 2 is an open supply (OSS) framework for constructing Java functions. Although gone its prime, Struts 2 stays frequent in older legacy methods throughout industries. In reality, its prevalence mixed with its agedness is what makes its newly found vulnerability — CVE-2024-53677, CVSS 9.5 — so difficult. As its parts have withered, and newer applied sciences and safety practices have moved on, fixing any newly arising points like this may require extra than simply a typical patch.
“The chance lies in the truth that older functions are much less more likely to be built-in with a contemporary CI/CD pipeline,” explains Chris Wysopal, chief safety evangelist at Veracode. “Consequently, updating the Struts 2 library, constructing and deploying a brand new model of a weak software requires extra guide effort and takes considerably longer. This important effort will end in an extended window of vulnerability, throughout which attackers might exploit and benefit from this weak spot.”
He assesses that “It’s possible that we are going to see the exploitation of this vulnerability for weeks as organizations discover and repair all situations of Struts 2 utilization.”
RCE Bug in Apache Struts 2
This identical time final 12 months, almost to the day, a Struts 2 vulnerability with a “vital” 9.8 rating within the Frequent Vulnerability Scoring System (CVSS) was disclosed to the general public. CVE-2023-50164 resulted from attackers’ capability to govern file add parameters, opening the door to path traversal. Underneath sure situations an attacker may add a specifically crafted malicious script in an effort to obtain distant code execution (RCE) on a server.
CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2’s File Add Interceptor element, accountable for dealing with file uploads, and permits RCE through path traversal. In a weblog submit, Johannes Ullrich of the SANS Institute speculated that an insufficient patch for CVE-2023-50164 led to this newest deja vu.
He additionally noticed energetic exploitation makes an attempt from one IP handle, which utilized a public proof-of-concept (PoC). The attacker performed with the vulnerability by importing “a one-liner script that’s presupposed to return ‘Apache Struts.’ Subsequent, the attacker makes an attempt to search out the uploaded script. The exploit try could be very near the unique PoC. Since then, a barely improved exploit has been uploaded to the identical GitHub repository,” he wrote.
Sometimes in conditions resembling this, organizations are suggested to use patches as quickly as potential. Within the case of CVE-2024-53677, the story is not fairly as easy.
Organizations do must improve to the most recent model of Struts, 6.7.0 — or, at the least, 6.4.0, launched within the wake of CVE-2023-50164, which deprecated the File Add Interceptor at difficulty. The repair is not backwards suitable, nonetheless, Apache famous in its safety bulletin. IT groups might want to migrate to the newfangled Motion File Add Interceptor, and modify how their current functions deal with file uploads by diligently rewriting their code to utilize it.
“It is not a easy model bump,” warns Saeed Abbasi, supervisor of vulnerability analysis at Qualys. “It requires code rewrites, configuration changes, and might break current logic and dependencies. In advanced environments, eradicating all traces of the legacy interceptor poses important challenges as a consequence of intricate plugin chains and layered frameworks. This complexity is additional compounded by the necessity for in depth regression testing.”
The Potential Scope of Influence for CVE-2024-53677
The nationwide facilities for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all launched pressing safety warnings concerning CVE-2024-53677. That this difficulty has attracted a lot consideration might not be apparent at first, since Struts 2 is so hardly ever utilized by builders at this time. It does, nonetheless, stay on in legacy methods worldwide.
Within the 2000s, Struts 2 was king amongst Java Net frameworks. By 2007 it was receiving almost 350,000 downloads monthly. Its webpage acquired tens of millions of month-to-month visits, even its publication had 1000’s of subscribers. At present, Wysopal says, “It now not has mainstream attraction and is never chosen for brand new initiatives. Its presence is extra an artifact of historic adoption slightly than energetic reputation.”
“Its ‘kingdom’ is confined to these secure, older functions in conservative industries — notably finance, insurance coverage, authorities, and large-scale manufacturing or logistics — usually in organizations and areas which are regulated and fewer more likely to modernize,” he says. Living proof: a Struts 2 vulnerability was on the coronary heart of the notorious 2017 Equifax breach.
Simply how frequent is Struts 2 in legacy methods in 2024? Abbasi reviews that inside the first 24 hours following the disclosure of CVE-2024-53677, Qualys “noticed tens of 1000’s of weak situations, reflecting the breadth and urgency of the problem.”
To his view, “The persistence of Struts 2 in vital methods, lengthy after safer frameworks have emerged, illustrates the continuing battle enterprises face with technical debt. Many organizations run variations of Struts previous their end-of-life, with out correct planning which compounds the influence of recent vulnerabilities. Enterprises want strong assault floor administration, together with lifecycle administration methods, guaranteeing that vital frameworks are usually up to date, and deprecated parts are swiftly phased out.”