A new vulnerability in the Struts 2 web application framework can potentially enable a remote attacker to execute code on systems running apps based on earlier versions of the software.
The vulnerability, announced this week by Apache, involves a potential attacker manipulating file upload parameters in what is referred to as a path traversal attack. Path traversal is a broad term, according to Akamai senior security researcher Sam Tinklenberg.
“In this case, the use of path traversals allows an attacker to upload a malicious file, most likely a webshell, outside of the normal upload directory,” he said. “The exact location will differ from application to application and must be a valid path which can be accessed from the internet.”
The flaw affects only older versions of the Struts 2 framework, and upgrading to versions 2.5.33, 6.3.0.2 or greater should eliminate the possibility of exploitation. It was first reported by researcher Steven Seeley.
Struts’ maintainers at the Apache Software Foundation urged users to patch immediately, saying that the update is “a drop-in replacement, and upgrade should be straightforward.”
Adding urgency to the need to patch is the news that proof of concept code has been spotted in the wild. A post from the Shadowserver Foundation, a nonprofit security group that bills itself as a leading reporter and tracker of malicious internet activity, on X (formerly Twitter), said that PoC code has been seen on sensors.
Struts 2 is a widely used framework for the development of enterprise web applications, and as such, it’s a common target for cybercriminals, according to Tinklenberg. He noted, however, that there the PoC code being seen in the wild is mostly generic scanning, and doesn’t currently represent an imminent threat.
“For this exploit to be successful, the attack request needs to be tailored to the underlying web application,” he said. “It is not likely, the path and parameter used in the POC [must] exist in a real-world deployment or have the required file upload functionality.”
Vulnerabilities in the Struts 2 framework were at the root of the infamous Equifax breach in March 2017, which saw the personal information of hundreds of millions of people compromised and brought widespread criticism for Equifax. The company was forced to pay more than half a billion dollars in litigation settlements and fines.