Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

On December 7th, 2023, the Apache Struts project disclosed a significant vulnerability, CVE-2023-50164, in its Struts 2 open-source web framework. Rated at a critical CVSS score of 9.8, this flaw resides within the framework’s file upload logic.

Exploiting this vulnerability empowers attackers to manipulate upload parameters, potentially leading to arbitrary file upload and, under specific conditions, code execution.

The popularity of Apache Struts in handling complex application requirements has made it a critical component in the global web application infrastructure.

Used by numerous Fortune 100 companies and government organizations worldwide, its widespread adoption also makes it a prime target for cyber-attacks.

CVE-2023-50164 Vulnerability: Key Details

The disclosed vulnerability CVE-2023-50164 affects the Struts 2 framework’s file upload logic, allowing unauthorized path traversal. This could result in remote code execution, posing a severe threat. Depending on user privileges, an attacker could install programs and view, change, or delete data, with potential impacts varying based on the user’s rights.

The issue lies in the differing treatment of parameters based on case sensitivity. For instance, the vulnerability distinguishes between param1=”value1″ and Param1=”Value1″ due to case-sensitive HTTP parameters. Recent Apache commits indicate a shift to case-insensitive HTTP parameters.

The vulnerability in Apache Struts stems from parameter pollution. Here, attackers can manipulate requests by altering the original parameter and introducing an additional lowercase parameter. This lowercase parameter may override an internal file name variable, resulting in system exploitation.

Severity: Critical
    CVSSv3.1: Base Score:9.8 CRITICAL
    Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    CVSSv2: Base Score: 10.0 CRITICAL
    Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes
Exploit complexity: Low

Struts 2.0.0 through 2.3.37 (EOL), 2.5.0 through 2.5.32, and 6.0.0 through 6.3.0 are susceptible to the identified vulnerability. The vulnerability (CVE-2023-50164) was successfully addressed and patched.

Prevention and Mitigation

• Without delay, following proper testing, apply the relevant upgrade to versions – Struts 2.5.33 or Struts 6.3.0.2 or greater provided by Apache Struts.
• Employ vulnerability scanning to identify software vulnerabilities that may require mitigation measures.
• Implement a policy of least privilege across all systems and services.

AppTrana WAAP Coverage for CVE-2023-50164

AppTrana WAAP doesn’t just manage vulnerabilities but takes proactive measures to preempt their exploitation through its risk-based approach.

AppTrana’s vulnerability management system prioritizes critical vulnerabilities, empowering teams first to address the most imminent threats. This strategic approach optimizes resource allocation and enhances remediation efforts, ensuring a swift and effective response to potential risks.

AppTrana’s built-in DAST scanner identifies and tracks system vulnerabilities. It highlights instances of Struts, mapping its deployment across the organization. This data is vital for targeted security measures and streamlined patch management.

Beyond vendor-provided patches, Indusface’s managed security team has developed the following custom security rule (virtual patching) to generate alerts related to Apache Struts and promptly block any attempt to exploit the vulnerability.

This virtual patch is deployed within 24 hours from the Proof of Concept (POC) publication, providing day-zero protection for all AppTrana customers.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.