Apache released a patch for a critical security flaw that could result in remote code execution (RCE) in a recent upgrade to it Struts 2 open-source web application framework.
Apache revealed the flaw — CVE-2023-50164 — in an advisory posted on Dec. 7. The maintainers and security pros interviewed by SC Media said developers are strongly advised to perform this upgrade that includes the patch for the critical bug.
“This is a drop-in replacement and upgrade should be straightforward,” said the advisory.
According to the maintainers, an attacker can manipulate file upload parameters to enable paths traversal and under some circumstances, this can lead to uploading a malicious file which can be used to perform an RCE.
Steven Seeley of Source Incite was credited with discovering the bug, which impacts these versions of the Apache software: Struts 2.3.37 (EOL); Struts 2.5.0; Struts 2.5.32; Struts 6.0.0; and Struts 6.3.0. Patches for the bug are available in versions 2.5.33 and 126.96.36.199 or greater, and there are no available workarounds.
Mayuresh Dani, security research manager for the Qualys Threat Research Team, explained that researchers consider this a high-severity vulnerability because it’s not just a simple directory traversal vulnerability. Dani said any vulnerable Struts 2 implementation that allows file uploads lets attackers upload malicious files and thereby execute an RCE.
“Depending on the application installation, the code could execute with the privileges of the web server or a designated user,” said Dani. “This vulnerability should be patched as soon as possible. In the interim, customers can ensure that applications are configured to only accept authorized file types and to limit the size of uploaded files.”
Adam Neel, threat detection engineer at Critical Start, said it’s important to get ahead of this vulnerability and upgrade Apache servers to Struts 2.5.33 or Struts 188.8.131.52 as soon as possible. Neel said exploitation of the file upload parameters can potentially lead to an RCE.
“It’s worth noting that this vulnerability has not yet been exploited by malicious actors, but it’s similar to a previous Apache vulnerability — CVE-2017-5638 — that resulted in the breach of Equifax [in 2017],” said Neel. “Apache servers are the backbone of countless online services and applications, serving as a critical component of digital infrastructure. Ensuring the security of these servers is paramount in protecting organizations, as well as end users.”
Andrew Barratt, vice president at Coalfire, added that the danger here is that webserver vulnerabilities that have the potential to lead to RCEs, or even just remote file upload, are typically automated quickly because of the potential for mass use as an initial point of access.