Remote code execution vulnerability found in Apache Struts 2 [CVE-2023-50164]
Apache has issued a warning to its users regarding a critical remote code execution (RCE) vulnerability found in its widely-used Struts 2 framework.
Apache Struts 2 is an open-source web application framework designed for developing Java EE web applications.
The newly identified vulnerability, CVE-2023-50164, has been assigned the highest severity rating and impacts Struts 2.0.0-2.3.37 (EOL), Struts 2.5.0-2.5.32, and Struts 6.0.0-6.3.0.
According to a summary provided by Atlassian Confluence, attackers can exploit this vulnerability by manipulating file upload parameters to enable path traversal, potentially leading to the upload of a malicious file that can execute remote code.
Developers and users of Struts 2 are strongly advised to promptly upgrade to version 2.5.33 or Struts 6.3.0.2 or later.
This vulnerability is considered highly severe, as it extends beyond a simple directory traversal flaw. Qualys security research manager, Mayuresh Dani, emphasized that any vulnerable Struts 2 implementation allowing file uploads could enable attackers to upload malicious files and execute code. Depending on the application installation, this code might execute with the privileges of the web server or a designated user.
In cases where immediate patching is not feasible, users are urged to configure applications to only accept authorized file types and limit the size of uploaded files, according to Dani.
Apache Struts is a key component in building sophisticated Java web applications, offering expandability through a plugin architecture and prioritizing convention over configuration. Users are reminded of the importance of following Apache’s guidance on patching, citing the notorious Equifax breach in 2017, where a failure to patch a major Struts 2 vulnerability led to significant repercussions. Despite an update being issued, Equifax’s unpatched system allowed threat actors to exploit the vulnerability, underscoring the critical importance of timely and effective patching practices.
Kerry is a Content Creator at www.systemtek.co.uk she has spent many years working in IT support, her main interests are computing, networking and AI.