A critical security flaw in Apache Struts is under attack, so patch now

Security researchers warn an Apache Struts 2 flaw is being actively exploited
The attack surface is relatively big, with companies worldwide possible affected
A patch is available, and users are urged to apply it

A critical vulnerability in the Apache Struts 2 application framework is now under active exploitation, security researchers have warned, urging users to apply the patch or run the latest version as soon as possible.

Apache Struts 2 is an open source web application framework for developing Java-based web applications. It aims to simplify the creation of interactive web applications and is often used by large enterprises and government agencies.

Apache recently reported finding a “file upload logic” flaw in versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2. Versions 6.4.0 and 7.0.0 were deemed safe. The bug is tracked as CVE-2024-53677, and has a severity score of 9.5/10 (critical), since it can be used to manipulate upload parameters, and thus enable path traversal. As a result, malicious actors can upload arbitrary files into restricted directories, enabling remote code execution (RCE), and thus data theft and system takeover.

Patching the flaw

Apache has released a patch for the flaw, but at the same time, a proof-of-concept (PoC) exploit was made publicly available.

The bare minimum users should do is upgrade to version 6.4.0, since this one does not use the flawed Struts’ File Upload Interceptor component.

In their writeup, cybersecurity researchers from Vulcan stressed Apache Struts flaws were “prime targets for attackers”, reminding their readers about the Equifax breach from 2017, which was attributed to a similar flaw. They also said that Struts 2 has significant download volume – roughly 300,000 monthly requests – meaning the attack surface is quite large.

Finally, they said CISA already added multiple Struts RCE flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Via The Register

https://cdn.mos.cms.futurecdn.net/8YD47RWwarUMjSyhbAE2u-1200-80.jpg

Source link

2026: The year enterprise AI finally gets to work

New Sky Original action movie Fuze has the most bizarre connection to Taylor Swift’s Eras Tour — and it could have shut down production

Why shouldn’t I indulge in Ninja’s Smart Kettle now it’s hit a record low price at Amazon?

Smeg’s tiny and stylish new milk frother will add a touch of flair to your morning coffee routine

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Brian Cox Joins Cast of Dexter: Resurrection Season 2

Updates on Release, Plot & More – Hollywood Life

Don Lemon Considers Presidential Run

K-pop Star Mark Lee Departing SM Entertainment, NCT 127 and NCT Dream

Arzum shareholders explore sale of majority stake; shares surge

Myanmar junta chief Min Aung Hlaing elected president by pro-military parliament

Zelenskiy says frontline situation best for Ukraine in the last 10 months

Samsung Elec likely to report stupendous surge in quarterly profit to record level

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

A critical security flaw in Apache Struts is under attack, so patch now

Arzum shareholders explore sale of majority stake; shares surge

Brian Cox Joins Cast of Dexter: Resurrection Season 2

Updates on Release, Plot & More – Hollywood Life

Myanmar junta chief Min Aung Hlaing elected president by pro-military parliament