A critical security flaw in Apache Struts is under attack, so patch now

Security researchers warn an Apache Struts 2 flaw is being actively exploited
The attack surface is relatively big, with companies worldwide possible affected
A patch is available, and users are urged to apply it

A critical vulnerability in the Apache Struts 2 application framework is now under active exploitation, security researchers have warned, urging users to apply the patch or run the latest version as soon as possible.

Apache Struts 2 is an open source web application framework for developing Java-based web applications. It aims to simplify the creation of interactive web applications and is often used by large enterprises and government agencies.

Apache recently reported finding a “file upload logic” flaw in versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2. Versions 6.4.0 and 7.0.0 were deemed safe. The bug is tracked as CVE-2024-53677, and has a severity score of 9.5/10 (critical), since it can be used to manipulate upload parameters, and thus enable path traversal. As a result, malicious actors can upload arbitrary files into restricted directories, enabling remote code execution (RCE), and thus data theft and system takeover.

Patching the flaw

Apache has released a patch for the flaw, but at the same time, a proof-of-concept (PoC) exploit was made publicly available.

The bare minimum users should do is upgrade to version 6.4.0, since this one does not use the flawed Struts’ File Upload Interceptor component.

In their writeup, cybersecurity researchers from Vulcan stressed Apache Struts flaws were “prime targets for attackers”, reminding their readers about the Equifax breach from 2017, which was attributed to a similar flaw. They also said that Struts 2 has significant download volume – roughly 300,000 monthly requests – meaning the attack surface is quite large.

Finally, they said CISA already added multiple Struts RCE flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Via The Register

https://cdn.mos.cms.futurecdn.net/8YD47RWwarUMjSyhbAE2u-1200-80.jpg

Source link

Mini-LED TVs will be more competitive than ever in 2025, and we’re all the winners

What is PIA’s MACE feature

Real Madrid vs Barcelona live stream: how to watch Spanish Supercopa final online

Here’s just how thin the iPhone 17 Air could be – and it’s thinner than the rumored Galaxy S25 Slim

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

A critical security flaw in Apache Struts is under attack, so patch now

Mini-LED TVs will be more competitive than ever in 2025, and we’re all the winners

What is PIA’s MACE feature

Real Madrid vs Barcelona live stream: how to watch Spanish Supercopa final online

Here’s just how thin the iPhone 17 Air could be – and it’s thinner than the rumored Galaxy S25 Slim

Leave a reply Cancel reply