Threat actors began attempting to exploit CVE-2023-50164, a critical-severity remote code execution (RCE) vulnerability affecting Apache Struts, an open-source framework used to develop Java Web applications, on December 13, 2023.
Background:
According to current intelligence, the threat actors are using a publicly available proof of concept (PoC) vulnerability. CVE-2023-50164 has a CVSS score of 9.8 because it allows a remote threat actor to change file upload parameters to enable path traversal, allowing the threat actor to upload a malicious file to perform RCE. Apache patched this vulnerability in the most recent Struts versions, which were released on December 7th.
Apache Struts is a framework that is frequently utilized in other enterprise applications, and each vendor has to fix the vulnerability. As evidenced by the fact that multiple RCE vulnerabilities affecting Apache Struts are listed in CISA’s Known Exploited Vulnerabilities Catalog, Apache Struts has been a popular target for threat actors. Due to the publicly available PoC exploit and ease of exploitation, we anticipate a surge in threat actors targeting this vulnerability in the near future.
CVE-2023-50164:
The CVE-2023-50164 vulnerability was discovered in Apache Struts 2, an open-source framework for developing and building Java EE web applications. Because Apache Struts 2 is widely used in commercial and open-source projects, this significant vulnerability is a concern across industries, particularly in government, healthcare, and finance.
If exploited, CVE-2023-50164 could result in an RCE due to a path traversal bug. The issue is in how Apache Struts 2 processes file uploads to the /upload.action endpoint. It involves a difference in how parameters are handled based on case sensitivity. For instance, the vulnerability perceives param1=”value1″ and Param1=”Value1″ as distinct because of the case-sensitive characteristics of HTTP parameters. Upon scrutinizing the latest commits by the Apache team, it’s evident that they have modified the HTTP parameters to be case-insensitive.
As a result, an attacker can efficiently traverse the web server’s directory structure without authorization and upload a malicious file, generally a Java Server Page (JSP) based shell, to unauthorized directories within the system by manipulating a file upload parameter.
The attacker can then access the freshly uploaded shell, triggering the execution of the malicious code and gaining complete control of the vulnerable server.
Attack Vector:
To execute a successful attack, threat actors must identify a web application utilizing an exploitable version of Apache Struts and identify the specific vulnerable file upload path.
Subsequently, a malicious request will be sent by the attacker to the file upload path, embedding a JSP-based webshell, along with a path traversal payload to upload the malicious webshell to an unauthorized location within the system.
Once the server receives and validates the request, it saves the malicious webshell in a reachable directory specified by the attacker, providing them access to the recently uploaded malicious webshell. As a result, the attacker can leverage the webshell to execute any desired code, successfully acquiring complete control over the system.
Affected Versions:
| Product | Affected Version(s) | Fixed Version(s) |
|---|---|---|
| Apache Struts | Struts 2.0.0 – Struts 2.3.37 (EOL) | Struts 2.5.33 or greater |
| Apache Struts | Struts 2.5.0 – Struts 2.5.32 | Struts 2.5.33 or greater |
| Apache Struts | Struts 6.0.0 – Struts 6.3.0 | 6.3.0.2 or greater |
Potential Impact:
One of the most significant and urgent risks that an organization can face is remote code execution. A server vulnerable to CVE-2023-50164 could give the attacker complete control, allowing the attacker to do whatever they want, from stealing confidential data to using the compromised server as a launchpad to infiltrate other devices on the network.
Exploitation Attempts:
Early exploitation via Shadowserver yields evidence of several IP addresses engaged in CVE-2023-50164 exploitation attempts. The original post https://xz.aliyun.com/t/13172 also has proof of PoC. However, exploitation of this vulnerability will be target-specific depending on the different target action’s endpoints, the naming convention of the expected uploaded file name, and any other target-specific constraints that must be overcome; thus, vulnerability exploitation remains minimal.
Recommendations:
This vulnerability has been patched by Apache, notably in versions 6.3.0.2 and 2.5.33. We strongly advise our users to upgrade their deployments as soon as possible in order to effectively secure their environments.
The security fix, however, is not applied automatically to software applications that use the framework. The best way to address CVE-2023-50164 in third-party software products is to install the vendor’s official security patches for each affected software product.
We highly advise you to monitor software vendor advisories for security updates that address CVE-2023-50164 in your environment and to apply any available security upgrades as soon as possible.
References:
https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164
https://xz.aliyun.com/t/13172
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj