Note: This Emerging Threat is also published in the new Fortra Security & Trust Center - the new location for all Emerging Threats beginning in January 2025. Refer to Emerging Threats Moving to Fortra.com for more information on following Emerging Threats in their new location.
Fortra is actively researching a vulnerability affecting Apache Struts 2 – CVE-2024-53677. By exploiting this vulnerability, a malicious actor can manipulate file upload parameters to enable paths traversal. Under some circumstances, this can lead to uploading a malicious file which can be used to perform remote code execution. Software patches have been released to address this vulnerability, and customers should upgrade as soon as possible.
Who is affected?
The following versions of Apache Struts are affected by this vulnerability:
- 2.0.0 to 2.3.37 (End of Life)
- 2.5.0 to 2.5.33
- 6.0.0 to 6.3.0.2
Note that only applications that use FileUploadInterceptor are vulnerable.
What can I do?
Customers are recommended to upgrade at least to Struts 6.4.0 (or the latest version) and migrate to the new file upload mechanism.
For more information, refer to this security bulletin.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
Alert Logic Network IDS: Alert Logic released IDS telemetry signatures to aid in detection research. Additionally, existing signatures can detect exploit attempts.
Alert Logic Vulnerability Scanning: Alert Logic released authenticated and agent-based scan detection for this vulnerability on December 23, 2024, followed by unauthenticated scan detection on December 26, 2024.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
12/17/2024: Alert Logic released IDS telemetry signatures to aid in detection research.
12/23/2024: Alert Logic released authenticated and agent-based scan detection.
12/26/2024: Alert Logic released unauthenticated scan detection.
Comments
0 comments
Please sign in to leave a comment.