Apache Warns of Critical Vulnerability in Struts 2

Apache has warned customers of a critical remote code execution (RCE) vulnerability in its popular Struts 2 framework.

Apache Struts 2 is an open-source web application framework for developing Java EE web applications.

The new vulnerability, CVE-2023-50164, has been given a maximum severity rating and affects Struts 2.0.0-2.3.37 (EOL), Struts 2.5.0-2.5.32, and Struts 6.0.0-6.3.0.

“An attacker can manipulate file upload parameters to enable path traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform remote code execution,” explained a summary from Atlassian Confluence.

Struts 2 developers and users are urged to immediately upgrade to version 2.5.33, or Struts 6.3.0.2 or greater.

Read more on Apache Struts 2: Equifax Has Spent Nearly $1.4bn on Breach Costs

“This is a high severity vulnerability since it’s not just a simple directory traversal vulnerability. Any vulnerable Struts 2 implementation that allows file uploads allows an attacker to upload malicious files and thereby execute code,” explained Qualys security research manager, Mayuresh Dani. “Depending on the application installation, the code could execute with the privileges of the web server or a designated user.”

He added that if customers can’t patch immediately, they should ensure that applications are configured to only accept authorized file types and to limit the size of uploaded files.

“Apache Struts helps build sophisticated, contemporary Java web apps,” explained Qualys technical content developer, Diksha Ojha. “It is expandable through plugin architecture, prioritizes convention over configuration, and comes with AJAX, REST, and JSON plugins.”

Users would be advised to follow Apache’s guidance on patching, given a major Struts 2 vulnerability that Equifax failed to patch ultimately led to a hugely damaging breach at the credit agency back in 2017.

Although an update was issued to fix CVE-2017-5638 on March 7 2017, the bug went unpatched and internal scanning processes at the firm didn’t work as intended.

That allowed threat actors to exploit the CVE and access the network on March 10 2017 via a consumer complaint web portal, taking advantage of poor segmentation and passwords and usernames stored in plain text to move laterally.

Threat researchers later warned that tens of thousands of applications running Struts 2 could have been targeted by malicious actors in the same way unless patched.