Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code.
Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.
Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software –
- Struts 2.3.37 (EOL)
- Struts 2.5.0 – Struts 2.5.32, and
- Struts 6.0.0 – Struts 6.3.0
Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.
“All developers are strongly advised to perform this upgrade,” the project maintainers said in an advisory posted last week. “This is a drop-in replacement and upgrade should be straightforward.”
While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.0) was weaponized by threat actors to breach consumer credit reporting agency Equifax in 2017.
Update
Threat actors are attempting to exploit the flaw against unpatched Apache Struts servers following the release of a proof-of-concept (PoC), according to a post shared by the Shadowserver Foundation on X (formerly Twitter).
Web infrastructure and security company Akamai told The Hacker News that the vulnerability is “being actively exploited to install web shells and subsequently establish footholds in targeted networks.”
“While CVE-2023-50164 is a serious security vulnerability, it is going to be difficult for attackers to perform mass scanning and exploitation of this vulnerability,” Praetorian researchers said. “The numerous preconditions required to exploit the issue along with the requirement for an application-defined file upload endpoint to be accessible makes mass exploitation a challenge.”
