MFT Command Center and Internet Server CVE-2024-53677 Critical security vulnerability affecting Apache Struts 2.0.0 to 6.3.x

MFT Command Center and Internet Server CVE-2024-53677 Critical security vulnerability affecting Apache Struts 2.0.0 to 6.3.x

book

Article ID: KB0137192

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Command Center 8.4.3 base and below, 8.5.1 base and below, all versions prior to 8.4.0
TIBCO Managed File Transfer Internet Server 8.4.3 base and below, 8.5.1 base and below, all versions prior to 8.4.0

Description

A critical security vulnerability CVE-2024-53677 was announced that affects Apache Struts 2.0.0 to 6.3.x when using the FileUploadInterceptor class.  According to the CVE, applications not using FileUploadInterceptor are safe.  When the necessary MFT hotfixes are applied (see below for hotfix numbers), MFT does not allow Struts file uploads and therefore does not use the FileUploadInterceptor class and is not vulnerable to CVE-2024-53677.  If these hotfixes are not applied, follow the instructions below to protect against this CVE.  Regardless, Apache Struts will be upgraded in the next hotfixes for MFT 8.4.4 and 8.5.2. In addition, this article describes how to manually disable Struts uploads for older MFT release levels and how to remove the FileUploadIntercentor class from the Struts2 jar file. 

Environment

All supported environments

Resolution

Manually disable Struts uploads

The resolution to this issue is to disable Struts file uploads. Struts uploads were disabled in TIBCO Managed File Transfer Command Center and Internet Server Hotfixes 8.4.3_HF-001 and 8.5.1_HF-001.
These hotfixes added this line to file: <MFT-Install>/server/webapps/cfcc/WEB-INF/strutsprofiles/struts.xml:

   <constant name="struts.multipart.enabled" value="false"/>

This line disabled all Struts uploads so the FileUploadInterceptor class would never get invoked.  
If you are at a release level prior to 8.4.3_HF-001 or 8.5.1_HF-001, you should follow this procedure for all MFT Internet Server and Command Center instances:

Add this line to file: <MFT-Install>/server/webapps/cfcc/WEB-INF/strutsprofiles/struts.xml:

   <constant name="struts.multipart.enabled" value="false"/>

Restart the MFT Internet Server or Command Center instance.  

Optionally, remove the FileUploadIntercentor class from the Struts2 jar file

If Struts file uploads are disabled, the file upload interceptor class will never execute.  However, if you want to remove this class from the distribution, follow this procedure. 
This procedure should be done for both MFT Internet Server and Command Center.  
Note that for different releases, the Struts file name (struts2-core-2.5.33.jar) may have a different version,  

cp <MFT-Install>/server/webapps/cfcc/WEB-INF/lib/struts2-core-2.5.33.jar /tmp
mkdir /tmp/strutscve
cd /tmp/strutscve
jar xvf /tmp/struts2-core-2.5.33.jar
rm org/apache/struts2/interceptor/FileUploadInterceptor.class
jar -c --file /tmp/struts2-core-2.5.33.new.jar *
cp /tmp/struts2-core-2.5.33.new.jar <MFT-Install>/server/webapps/cfcc/WEB-INF/lib/struts2-core-2.5.33.jar

Restart the MFT  Internet Server or Command Center instance. 

Notes:
1.  Do not change the struts2 file name.  If the name is changed, then when a hotfix is installed, the new file name will not be removed and  exceptions will occur.
2.  Subsequent hotfixes may include the FileUploadInterceptor class.  If you want to remove this class from the distribution, follow this procedure for the new Struts jar file.

Issue/Introduction

MFT Command Center and Internet Server CVE-2024-53677 Critical security vulnerability affecting Apache Struts 2.0.0 to 6.3.x