Apache Struts Path traversal (S2-067/CVE-2024-53677, S2-066/CVE-2023-50164)
Description
Apache Struts versions prior to 6.4.0 contain a path traversal vulnerability in the file upload mechanism. Attackers can manipulate file upload parameters to bypass path restrictions and upload malicious files to arbitrary locations on the server. When combined with specific server configurations, this vulnerability enables Remote Code Execution (RCE), allowing attackers to execute arbitrary commands on the affected system.
Remediation
Immediately upgrade Apache Struts to version 6.4.0 or later, which includes a redesigned file upload mechanism that addresses this vulnerability. Follow these steps:
1. Update your project dependencies to use Struts 6.4.0 or higher
2. Migrate from the legacy file upload implementation to the new secure file upload mechanism
3. Review and update any custom file upload handling code to use the new APIs
4. Test file upload functionality thoroughly in a non-production environment before deploying
5. As an additional defense-in-depth measure, ensure uploaded files are stored outside the web root and implement strict file type validation
If immediate upgrade is not possible, implement temporary mitigations such as restricting file upload functionality, implementing strict input validation on file paths, and deploying web application firewall (WAF) rules to detect path traversal attempts. However, upgrading remains the only complete solution.