The Apache Software Foundation has issued a security advisory regarding a critical security flaw in the Struts 2 web application framework. This flaw, known as CVE-2023-50164 [1] [2] [5] [8] [9], allows for remote code execution by exploiting unauthorized path traversal and uploading of malicious files [1] [5].
Description
Attackers can exploit this vulnerability by manipulating file upload parameters, enabling path traversal and potentially uploading a malicious file [8]. This grants them control over the underlying operating system [7], allowing them to install programs, view [4] [7], change [7], or delete data [7], depending on the user’s privileges [7]. It is important to note that there are no workarounds for this vulnerability. Therefore, developers are strongly advised to promptly upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or higher to address this issue. The affected versions of Apache software include 2.3.37, 2.5.0, 2.5.32, 6.0.0, and 6.3.0 [1] [5] [6]. Patches are available in these versions to fix the vulnerability. It is worth mentioning that a previous vulnerability in Struts was exploited in the Equifax breach in 2017. Ensuring the security of Apache servers is crucial for protecting organizations and end users [6]. For more information on bug fixes and improvements, refer to the version notes for Struts 2.5.33 and Struts 6.3.0.2 [3]. Additional references to the vulnerability can be found at NVD [3], Apache’s confluence pages [3], and Tenable’s CVE database [3].
Conclusion
This critical security flaw in the Struts 2 web application framework poses a significant risk, allowing attackers to execute remote code and gain control over the underlying operating system. Promptly upgrading to the recommended versions is essential to mitigate this vulnerability. The previous exploitation of a Struts vulnerability in the Equifax breach highlights the importance of securing Apache servers. Developers and organizations must prioritize the protection of their systems and end users.
References
[1] https://owasp.or.id/2023/12/12/new-critical-rce-vulnerability-discovered-in-apache-struts-2/
[2] https://cyber.vumetric.com/security-news/2023/12/12/new-critical-rce-vulnerability-discovered-in-apache-struts-2-patch-now/
[3] https://www.cert.be/en/advisory/warning-patch-available-critical-rce-vulnerability-apache-struts
[4] https://www.cisa.gov/news-events/alerts/2023/12/12/apache-software-foundation-updates-struts-2
[5] https://thehackernews.com/2023/12/new-critical-rce-vulnerability.html
[6] https://www.scmagazine.com/news/apache-advises-developers-to-patch-critical-flaw-in-struts-2
[7] https://www.cisecurity.org/advisory/a-vulnerability-in-apache-struts-2-could-allow-for-remote-code-execution_2023-138
[8] https://securityaffairs.com/155643/hacking/apache-struts-2-critical-flaw.html
[9] https://phoenix.security/apache-struts-2-critical-vuln/