Patch Now: Exploit Activity Mounts for Dangerous Apache Struts 2 Bug

CVE-2023-50164 is harder to exploit than the 2017 Struts bug behind the massive breach at Equifax, but don't underestimate the potential for attackers to use it in targeted attacks.

5 Min Read
Coding script text on screen. Notebook closeup photo.
Source: Zakharchuk via Shutterstock

Concerns are high over a critical, recently disclosed remote code execution (RCE) vulnerability in Apache Struts 2 that attackers have been actively exploiting over the past few days.

Apache Struts is a widely used open source framework for building Java applications. Developers can use it to build modular Web applications based on what is known as the Model-View-Controller (MVC) architecture. The Apache Software Foundation (ASF) disclosed the bug on Dec. 7 and gave it a near maximum severity rating of 9.8 out of 10 on the CVSS scale. The vulnerability, tracked as CVE-2023-50164 has to do with how Struts handles parameters in file uploads and gives attackers a way to gain complete control of affected systems.

A Widely Prevalent Security Issue Affecting Java Apps

The flaw has evoked considerable concern because of its prevalence, the fact that it is remotely executable, and because proof-of-concept exploit code is publicly available for it. Since the disclosure of the flaw last week, multiple vendors — and entities such as ShadowServer — have reported seeing signs of exploit activity targeting the flaw.

The ASF itself has described Apache Struts as having a "huge user base," because of the fact that it has been around for more than two decades. Security experts estimate there are thousands of applications worldwide — including those in use at many Fortune 500 companies and organizations in government and critical infrastructure sectors — that are based on Apache Struts.  

Many vendor technologies incorporate Apache Struts 2 as well. Cisco, for instance, is currently investigating all products that are likely affected by the bug and plans to release additional information and updates when needed. Products that are under scrutiny include Cisco's network management and provisioning technologies, voice and unified communications products and its customer collaboration platform.

The vulnerability affects Struts versions 2.5.0 to 2.5.32 and Struts versions 6.0.0 to 6.3.0. The bug is also present in Struts versions 2.0.0 to Struts 2.3.37, which are now end-of-life.

The ASF, security vendors and entities such as the US Cybersecurity and Information Security Agency (CISA) have recommended that organizations using the software immediately update to Struts version 2.5.33 or Struts or greater. No mitigations are available for the vulnerability, according to the ASF.

In recent years, researchers have unearthed numerous flaws in Struts. Easily the most significant of them was CVE-2017-5638 in 2017, which affected thousands of organizations and enabled a breach at Equifax that exposed sensitive data belonging to a staggering 143 million US consumers. That bug is actually still floating around — campaigns using the just-discovered NKAbuse blockchain malware, for instance, are exploiting it for initial access.

A Dangerous Apache Struts 2 Bug, but Hard to Exploit

Researchers at Trend Micro who analyzed the new Apache Struts vulnerability this week described it as a dangerous but considerably harder to exploit at scale than the 2017 bug, which was little more than a scan and exploit issue.  

"The CVE-2023-50164 vulnerability continues to be widely exploited by a wide range of threat actors who abuse this vulnerability to perform malicious activities, making it a significant security risk to organizations worldwide," Trend Micro researchers said.

The flaw basically allows an adversary to manipulate file upload parameters to enable path traversal: "This could potentially result in the uploading of a malicious file, enabling remote code execution," they noted.

To exploit the flaw, an attacker would first need to scan for and identify websites or Web applications using a vulnerable Apache Struts version, Akamai said in a report summarizing its analysis of the threat this week. They would then need to send a specially crafted request to upload a file to the vulnerable site or Web app. The request would contain hidden commands that would cause the vulnerable system to place the file in a location or directory from where the attack could access it and trigger the execution of malicious code on the affected system.

"The Web application must have certain actions implemented to enable the malicious multipart file upload," says Sam Tinklenberg, senior security researcher at Akamai. "Whether this is enabled by default depends on the implementation of Struts 2. Based on what we have seen, it is more likely this is not something enabled by default."

Two PoC Exploit Variants for CVE-2023-50164

Akamai said it has so far seen attacks targeting CVE-2023-50164 using the publicly released PoC, and another set of attack activity using what appears to be a variant of the original PoC.

"The exploit mechanism is the same between the two" sets of attacks, Tinklenberg says. "However, the items which differ are the endpoint and parameter used in the exploitation attempt."

The requirements for an attacker to successfully exploit the vulnerability can vary significantly by implementation, Tinklenberg adds. These include the need for a vulnerable app to have the file upload function enabled and for it to allow an unauthenticated user to upload files. If a vulnerable app does not allow unauthorized user uploads, the attacker would need to gain authentication and authorization via other means. The attacker would also need to identify the endpoint using the vulnerable file upload function, he says.

While this vulnerability in Apache Struts might not be as readily exploitable on a large scale compared with previous flaws, its presence in such a widely adopted framework certainly raises significant security concerns, says Saeed Abbasi, manager of vulnerability and threat research at Qualys.

"This particular vulnerability stands out due to its complexity and the specific conditions required for exploitation, making widespread attacks difficult but possible," he notes. "Given Apache Struts' extensive integration in various critical systems, the potential for targeted attacks cannot be underestimated."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights