CVE-2023-50164: Remote Code Execution Vulnerability Discovered in Apache Struts

NOTE: This remains under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

Apache has released an advisory for a critical vulnerability discovered in Struts versions 2.0.0-2.3.37(EOL), 6.0.0-6.3.0.1 and 2.0.0-2.5.32. This vulnerability is being tracked as CVE-2023-50164 with a CVSS score of 9.8 (Critical) and is reportedly being actively exploited. Impacted versions are affected by a file upload and directory traversal vulnerability that can lead to remote code execution. We recommend upgrading affected versions to 6.3.0.2 or 2.5.33 as soon as possible.

Struts is an Apache MVC framework that is found in many common Java web applications.

Since the initial advisory was released, several technical analyses of the vulnerability have been published by security researcher ”Sichuan” and Greynoise Labs. A proof of concept (POC) is also available on Github that demonstrates the ability to exploit the vulnerability in order to upload a webshell to a vulnerable application. This POC makes exploitation of the vulnerability accessible to less sophisticated, opportunistic threat actors through its simplicity to deploy.

As per the advisory, “An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.”

It is hard to quantify the attack surface for this vulnerability without active scanning, since several mitigating factors could prevent an attacker from uploading a file to an application that utilizes Apache Struts (such as a Web Application Firewall (WAF) or lack of a file upload interface for an attacker to interact with).

Kroll is assessing what impact this vulnerability could have on other popular web-facing applications. Therefore it is likely that further vendor-specific advisories will emerge as more research is conducted on the vulnerability. We suggest that if you have concerns about a product using a vulnerable version of Apache Struts contact the vendor directly.

Below are some key recommendations from Kroll’s CTI team:

• If Apache Struts is used in your organizations’ development flow, we recommend updating to the latest version as soon as possible.
• Organizations should consider how unauthorized file upload paths can be moved behind an authentication service if possible.
• Consider using a WAF to filter traffic to and from your applications.