Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

A critical, stubborn new vulnerability in Apache Struts 2 may be under active exploitation already, and fixing it isn't as simple as downloading a patch.

Struts 2 is an open source framework for building Java applications. Though long past its prime, Struts 2 remains common in older legacy systems across industries. In fact, its prevalence combined with its agedness is what makes its newly discovered vulnerability — CVE-2024-53677, CVSS 9.5 — so tricky. As its components have withered, and newer technologies and security practices have moved on, fixing any newly arising issues like this can require more than just a standard patch. 

"The risk lies in the fact that older applications are less likely to be integrated with a modern CI/CD pipeline," explains Chris Wysopal, chief security evangelist at Veracode. "As a result, updating the Struts 2 library, building and deploying a new version of a vulnerable application requires more manual effort and takes significantly longer. This significant effort will result in a longer window of vulnerability, during which attackers may exploit and take advantage of this weakness."

Wysopal assesses, "It is likely that we will see the exploitation of this vulnerability for weeks, as organizations find and fix all instances of Struts 2 usage."

Related:Delinea Joins CVE Numbering Authority Program

RCE Bug in Apache Struts 2

This same time last year, nearly to the day, a Struts 2 vulnerability with a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) was disclosed to the public. CVE-2023-50164 resulted from attackers' ability to manipulate file upload parameters, opening the door to path traversal. Under certain conditions an attacker could upload a specially crafted malicious script in order to achieve remote code execution (RCE) on a server.

CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2's File Upload Interceptor component, responsible for handling file uploads, and enables RCE via path traversal. In a blog post, Johannes Ullrich of the SANS Institute speculated that an inadequate patch for CVE-2023-50164 led to this latest déjà vu.

He also observed active exploitation attempts from one IP address, which utilized a public proof-of-concept (PoC). The attacker played with the vulnerability by uploading "a one-liner script that is supposed to return 'Apache Struts.' Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository," he wrote.

Related:Does Desktop AI Come With a Side of Risk?

Typically in situations such as this, organizations are advised to apply patches as soon as possible. In the case of CVE-2024-53677, the story isn't quite as simple.

Organizations do need to upgrade to the latest version of Struts, 6.7.0 — or, at least, 6.4.0, released in the wake of CVE-2023-50164, which deprecated the File Upload Interceptor at issue. The fix isn't backward compatible, however, Apache noted in its security bulletin. IT teams will need to migrate to the newfangled Action File Upload Interceptor, and adjust how their existing applications handle file uploads by diligently rewriting their code to make use of it.

"It's not a simple version bump," warns Saeed Abbasi, manager of vulnerability research at Qualys. "It requires code rewrites, configuration adjustments, and can break existing logic and dependencies. In complex environments, removing all traces of the legacy interceptor poses significant challenges due to intricate plug-in chains and layered frameworks. This complexity is further compounded by the need for extensive regression testing."

The Potential Scope of Impact for CVE-2024-53677

The national centers for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all released urgent security warnings regarding CVE-2024-53677. That this issue has attracted so much attention may not be obvious at first, since Struts 2 is so rarely used by developers today. It does, however, live on in legacy systems worldwide.

Related:Citizen Development Moves Too Fast for Its Own Good

In the 2000s, Struts 2 was king among Java Web frameworks. By 2007 it was receiving nearly 350,000 downloads per month. Its webpage received millions of monthly visits; even its newsletter had thousands of subscribers. Today, Wysopal says, "It no longer has mainstream appeal and is rarely chosen for new projects. Its presence is more an artifact of historical adoption rather than active popularity."

"Its 'kingdom' is confined to those stable, older applications in conservative industries — particularly finance, insurance, government, and large-scale manufacturing or logistics — often in organizations and regions that are regulated and less likely to modernize," he says. Case in point: a Struts 2 vulnerability was at the heart of the infamous 2017 Equifax breach.

Just how common is Struts 2 in legacy systems in 2024? Abbasi reports that within the first 24 hours following the disclosure of CVE-2024-53677, Qualys "observed tens of thousands of vulnerable instances, reflecting the breadth and urgency of the challenge."

To his view, "The persistence of Struts 2 in critical systems, long after more secure frameworks have emerged, illustrates the ongoing struggle enterprises face with technical debt. Many organizations run versions of Struts past their end-of-life, without proper planning which compounds the impact of new vulnerabilities. Enterprises need solid attack surface management, along with lifecycle management strategies, ensuring that critical frameworks are regularly updated, and deprecated components are swiftly phased out."