A critical vulnerability in the Apache Struts 2 application framework is now under active exploitation, security researchers have warned, urging users to apply the patch or run the latest version as soon as possible.
Apache Struts 2 is an open source web application framework for developing Java-based web applications. It aims to simplify the creation of interactive web applications and is often used by large enterprises and government agencies.
Apache recently reported finding a “file upload logic” flaw in versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2. Versions 6.4.0 and 7.0.0 were deemed safe. The bug is tracked as CVE-2024-53677, and has a severity score of 9.5/10 (critical), since it can be used to manipulate upload parameters, and thus enable path traversal. As a result, malicious actors can upload arbitrary files into restricted directories, enabling remote code execution (RCE), and thus data theft and system takeover.
Patching the flawApache has released a patch for the flaw, but at the same time, a proof-of-concept (PoC) exploit was made publicly available.
The bare minimum users should do is upgrade to version 6.4.0, since this one does not use the flawed Struts' File Upload Interceptor component.
In their writeup, cybersecurity researchers from Vulcan stressed Apache Struts flaws were “prime targets for attackers”, reminding their readers about the Equifax breach from 2017, which was attributed to a similar flaw. They also said that Struts 2 has significant download volume - roughly 300,000 monthly requests - meaning the attack surface is quite large.
Finally, they said CISA already added multiple Struts RCE flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Via The Register
You might also likeA Thousand Blows is looking like it'll be even more of a knockout new show when it arrives on Hulu in the US and Disney Plus internationally next year, following the release of new artwork.
Alongside the reveal of the new images (see above and below), which show BAFTA award-wining actor Malachi Kirby playing the boxer Hezekiah Moscow aka 'Ching Hook', Disney also confirmed that the show will premiere on February 21, 2025, which means it'll arrive two days after the new Pixar series Win or Lose debuts.
With such a stacked February lineup, it's probably safe to assume that our best Disney Plus shows and best Hulu shows guides will be in need of an overhaul.
(Image credit: Disney; Robert Viglasky)A Thousand Blows is made by Peaky Blinders creator Steven Knight, so you can count on it to fill that British period drama-shaped hole in your life when it arrives, because (yes, you guessed it) it's another period piece, centered around the world of boxing in Victorian London this time.
While the show is fictionalized, it's loosely based on the real lives of a group of East Londoners in the 1880s, who find themselves in the criminal underbelly of a bare-knuckle boxing scene. Such a setting requires a gritty cast that can pull it off and Kirby looks fighting ready in the new images.
According to Disney's plotline for the show, Hezekiah Moscow will find fortune and fame in the boxing ring but his new-found attention also attracts an infamous crime leader Mary Carr (Erin Doherty) and self-declared leader of East London boxing Sugar Goodson (Stephen Graham), who sets out to exploit him.
With such a talented cast onboard, I can't wait to stream A Thousand Blows when it arrives on Disney Plus in the UK on February 16, 2025.
You might also like