CVE-2023-50164 - RCE Vulnerability Apache Struts2

Introduction

CVE-2023-50164 is a critical vulnerability with a CVSS score of 9.8, enabling remote code execution through path traversal by manipulating file upload parameters. It affects multiple versions of Apache Struts 2, including some that are no longer supported. The availability of Proof of Concept (PoC) exploit codes has led to exploitation attempts. Mitigation strategies involve upgrading to patched Struts versions and implementing additional security measures. 

What is Apache Struts 2

Apache Struts 2 is an advanced open-source framework for developing Java EE web applications, emphasizing a model-view-controller (MVC) architecture. It extends the Java Servlet API, enhancing its capabilities for enterprise-level application development. Struts 2 is part of the Apache Software Foundation's Struts project and was created as a successor to the original Struts framework.

Affected Versions and Applications

The CVE-2023-50164 vulnerability affects specific versions of Apache Struts 2. These are the versions that are vulnerable:

  • Struts 2.0.0 to Struts 2.3.37 (end-of-life)

  • Struts 2.5.0 to Struts 2.5.32

  • Struts 6.0.0 to Struts 6.3.0

Fixed Versions:

To address the vulnerabilities in different series of Apache Struts 2, it is recommended that for the 2.5.x series, users should upgrade to Struts 2.5.33 or later versions, while for the 6.x series, the fixed versions start from Struts 6.3.0.2 onwards.

Exploit steps

  1. Identifying Vulnerable Systems
    The first step involves attackers identifying web applications that run the affected versions of Apache Struts 2. These versions include Struts 2.0.0 to 2.5.32, and 6.0.0 to 6.3.0.1, among others.

  2. Preparing the Malicious Payload
    Once a vulnerable application is identified, the attacker prepares a malicious file, often a Java Server Page (JSP) or a web shell. This file is crafted to execute arbitrary code when uploaded and accessed.

  3. Exploiting the File Upload Mechanism
    The attacker proceeds to create a specialized request for file upload, which contains modified data, including the file's name and intended path, thus altering the file upload parameters.

  4. Triggering the Exploit
    Upon successful upload, accessing the malicious file through a web browser or an automated script triggers the execution of the exploit. This step is crucial as it leads to the execution of the arbitrary code embedded in the malicious file.

  5. Gaining Control
    If the exploit is successful, the attacker gains the ability to perform actions on the server, ranging from data theft to taking full control of the affected system.

These steps outline the general process an attacker might follow to exploit CVE-2023-50164. It's important to note that the specifics of the attack can vary based on the configuration of the targeted application and the attacker's objectives.

The Proof of Concept (PoC) exploit code for CVE-2023-50164 demonstrates how the vulnerability in Apache Struts 2 can be exploited to perform remote code execution via path traversal. This PoC exploit code is publicly available, increasing the risk of exploitation attempts by providing a practical blueprint for attackers to leverage the vulnerability.

Mitigations and Recommendations

Apache has taken proactive measures against the CVE-2023-50164 vulnerability affecting Apache Struts 2. In response, they have issued patches to counteract this significant security risk. Organizations utilizing Apache Struts are urged to upgrade promptly to either Struts 2.5.33, Struts 6.3.0.2, or any later version, as detailed on their official website and security bulletins.

However, simply applying these patches isn't the only line of defense. With the Proof of Concept (PoC) exploit code for this vulnerability being publicly available, understanding its mechanisms is critical. Such knowledge is invaluable in anticipating and preparing for potential exploitation attempts that follow the PoC's strategy.

In addition to applying patches, the PoC's author recommends further strategies to bolster security. One key measure is to limit exposure by refraining from exposing unauthorized file upload paths. This action curtails one of the primary avenues through which attackers exploit this vulnerability, thereby enhancing the system's defense.

Furthermore, implementing interceptors at file upload locations serves as another layer of defense. These interceptors scrutinize and validate incoming files, ensuring that only secure and intended uploads make their way through, thereby safeguarding against malicious uploads.

By adopting these mitigation strategies, organizations can substantially lower the risk of exploitation posed by CVE-2023-50164. In doing so, they contribute to maintaining a more secure and resilient IT environment, prepared to face the challenges posed by such vulnerabilities.

References

CVE-2023-50164-PoC

Decoding CVE-2023-50164: Unveiling the Apache Struts File Upload Exploit

Observed Exploitation Attempts of Struts 2 S2-066 Vulnerability (CVE-2023-50164)

CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

Attackers are trying to exploit Apache Struts vulnerability (CVE-2023-50164)

CISA Urges Organizations to Patch the Critical Apache Struts RCE Vulnerability, CVE-2023-50164

S2-066

Back to all blogs

Featured blogs