This alert is relevant to Australian Organisations who use, develop or support Java applications which use the Apache Struts2 Framework. Multiple enterprise Java applications use this framework and are likely at risk. This alert is intended to be understood by technical users. Affected Australian Organisations and users are encouraged to apply available patches and workarounds as soon as possible, monitor for patches in any Java applications in use and assess their environment for compromise.
Background / What has happened?
- A critical file upload vulnerability (CVE-2024-53677) has been identified in the Apache Struts2 Framework that could allow path traversal, malicious file upload and lead to remote code execution.
Affected versions / applications:
- Struts 2.0.0 - Struts 2.3.37 (EOL),
- Struts 2.5.0 - Struts 2.5.33,
- Struts 6.0.0 - Struts 6.3.0.2
Vulnerabilities in Apache Struts have been popular targets for threat actors in the past, with two major incidents occurring in 2017 and 2023.
Mitigation / How do I stay secure?
- Investigate systems and applications to determine if at risk.
- Upgrade to Struts 6.4.0 or greater and migrate to the new Action File Upload Interceptor mechanism.
- Apply patches for applications that utilise Apache Struts.
- Investigate and monitor systems for suspicious activity.
- Monitor vendor advisories for further patch releases and information.
Apache’s Security Advisory:
If suspicious activity is detected, notify ASD’s ACSC via cyber.gov.au or 1300 CYBER1 (1300 292 371).
Assistance / Where can I go for help?
The ASD’s ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).