Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code.
Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.
Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software –
- Struts 2.3.37 (EOL)
- Struts 2.5.0 – Struts 2.5.32, and
- Struts 6.0.0 – Struts 6.3.0
Patches for the bug are available in versions 2.5.33 and 220.127.116.11 or greater. There are no workarounds that remediate the issue.
“All developers are strongly advised to perform this upgrade,” the project maintainers said in an advisory posted last week. “This is a drop-in replacement and upgrade should be straightforward.”
While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.0) was weaponized by threat actors to breach consumer credit reporting agency Equifax in 2017.
Threat actors are attempting to exploit the flaw against unpatched Apache Struts servers following the release of a proof-of-concept (PoC), according to a post shared by the Shadowserver Foundation on X (formerly Twitter).
Web infrastructure and security company Akamai told The Hacker News that the vulnerability is “being actively exploited to install web shells and subsequently establish footholds in targeted networks.”
“While CVE-2023-50164 is a serious security vulnerability, it is going to be difficult for attackers to perform mass scanning and exploitation of this vulnerability,” Praetorian researchers said. “The numerous preconditions required to exploit the issue along with the requirement for an application-defined file upload endpoint to be accessible makes mass exploitation a challenge.”
Details of Observed Exploitation Attempts
Akamai, in an update posted on December 14, 2023, said the vulnerability could ve used to deliver JSP-based web shells that, when accessed via a web browser or an automated script by the attacker, triggers its execution, enabling them to perform follow-up actions ranging from server takeover to data theft.
“Depending on the attacker’s intentions or motivations, they might maintain covert access for future exploitation or to use the compromised server to launch further attacks,” Akamai researchers noted.
Cybersecurity firm Trend Micro said multiple threat actors have joined the exploitation bandwagon, but emphasized that “exploiting this vulnerability at scale becomes significantly challenging for attackers, as it lacks the same straightforward scanning and exploitation capabilities observed in CVE-2017-5638.”