Vulnerability in Apache Struts2 could allow remote code execution

A vulnerability has been discovered in Apache Struts2, which could allow remote code execution. Apache Struts2 is an open source web application framework used for developing Java web applications. Successful exploitation of this vulnerability could allow remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Services whose accounts are configured to have fewer system rights may be less impacted than those operating with administrative user rights.

The SANS Institute has observed exploitation attempts related to this vulnerability, initially originating from IP address 169.[.]150[.]226[.]162.

A vulnerability has been discovered in Apache Struts2, which could allow remote code execution. An attacker can manipulate file upload settings to enable path traversal and, in certain circumstances, this can lead to the upload of a malicious file that can be used to execute code remotely. The details of the vulnerability are as follows:

Tactical: Initial access (TA0001):

Technical: Operate a public application (T1190):

• File Upload Vulnerability Allowing Path Traversal to RCE (CVE-2024-53677)

Successful exploitation could enable remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Services whose accounts are configured to have fewer system rights may be less impacted than those operating with administrative user rights.

We recommend taking the following measures:

• Apply appropriate Apache-provided updates to vulnerable systems immediately after appropriate testing. Users are recommended to upgrade to at least version 6.4.0 and migrate to the new file upload mechanism. If you don't use old FileuploadInterceptor-based file upload logic, your application is secure. (M1051: Update software)
• Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
• Backup 7.2: Establish and maintain a remediation process: Establish and maintain a risk-based remediation strategy, documented in a remediation process, with monthly or more frequent reviews.
• Backup 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
• Backup 7.5: Perform automated vulnerability scans of internal company assets: Perform automated vulnerability scans of internal company assets on a quarterly or more frequent basis. Perform authenticated and unauthenticated scans using a SCAP-compliant vulnerability scanning tool.
• Backup 7.7: Fix detected vulnerabilities: Remediate detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
• Backup 12.1: Make sure the network infrastructure is up to date: Make sure the network infrastructure is kept up to date. Example implementations include running the latest stable version of the software and/or using currently supported Network as a Service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
• Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Privileged account management)
• Backup 4.7: Manage default accounts on company assets and software: Manage default accounts on company assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
• Backup 5.5: Establish and maintain an inventory of service accounts: Establish and maintain an inventory of service accounts. The inventory must at a minimum contain the service owner, review date and purpose. Perform service account reviews to verify that all active accounts are authorized, on a recurring schedule at least quarterly or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities for remediation. (M1016: Vulnerability Analysis)
• Backup 16.13: Perform application penetration testing: Perform application penetration testing. For mission-critical applications, authenticated penetration testing is better suited to detecting business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester's ability to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain all Internet-accessible services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network segmentation)
• Backup 12.2: Establish and maintain a secure network architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, at least
• privilege and availability, at a minimum.
• Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
• Backup 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on company assets and software where possible, such as Microsoft Data Execution Prevention (DEP), Windows Defender Exploit Guard (WDEG) or Apple System Integrity Protection (SIP) and Gatekeeper.