Apache Software Foundation has issued a security advisory regarding a critical vulnerability within the Struts 2 open-source web application framework, posing a significant risk for remote code execution (RCE). This vulnerability, designated as CVE-2023-50164, stems from inadequate “file upload logic” that permits unauthorized path traversal. If exploited, attackers can upload malicious files leading to arbitrary code execution.
Struts, built on the Model-View-Controller (MVC) architecture, is widely used for constructing enterprise-level web applications in Java. The vulnerability affects numerous versions of Struts, including Struts 2.3.37 (which has reached end-of-life), along with versions 2.5.0 to 2.5.32, and from 6.0.0 to 6.3.0.
Steven Seeley from Source Incite has been credited with the identification of this vulnerability. In response, Apache has released patches in versions 2.5.33 and 6.3.0.2, urging developers to implement these updates promptly. The advisory emphasizes that there are no existing workarounds available for mitigating the threat.
While no confirmed instances of malicious exploitation have been reported as of yet, historical context raises alarm. A previous vulnerability in Struts, identified as CVE-2017-5638, received a CVSS score of 10.0 and was infamously weaponized in 2017, enabling a data breach at Equifax.
Recent reports indicate that threat actors are actively seeking to exploit the newly identified flaw on unpatched Apache Struts servers, particularly following the dissemination of a proof-of-concept exploit. According to the Shadowserver Foundation, this situation raises the specter of serious compromise, as attackers may utilize the vulnerability to install web shells, thereby establishing persistent access to affected systems.
Akamai’s security team has corroborated these findings, revealing that the vulnerability is being leveraged to deploy web shells. This enables attackers to execute commands remotely, facilitating a range of malicious activities, from server compromise to data exfiltration. The challenge for attackers lies in the specific conditions necessary to exploit this flaw effectively, which may limit widespread application of this vulnerability.
Cybersecurity research indicates that multiple threat actors are capitalizing on this vulnerability, as noted by Trend Micro. Experts emphasize that the complexity involved in exploiting CVE-2023-50164 is a notable difference from the more straightforward attack methodology observed in the earlier CVE-2017-5638.
Given the potential ramifications of this vulnerability, it is imperative for organizations utilizing Struts 2 to prioritize these security patches. The guidance from project maintainers emphasizes that this update should be treated as a direct replacement, making the upgrade process manageable. Business owners are encouraged to consult with their IT security teams to ensure that appropriate measures are implemented without delay.
In summary, CVE-2023-50164 represents a serious risk that necessitates immediate attention from affected organizations. Should attackers capitalize on this vulnerability, the consequences could be severe, and vigilance is essential in safeguarding sensitive data and maintaining operational integrity.
