Apache Struts 2 RCE Attacks

Threat actors target Apache Struts 2 due to vulnerabilities in its code that can be exploited for unauthorized access to web applications. 

Exploiting these vulnerabilities allows attackers to execute arbitrary code that could lead to full system compromise. 

As Apache Struts 2 is widely used in web development, successful attacks can impact many applications, making it an attractive target for those seeking widespread exploits and data breaches.

Cybersecurity researchers at CYFIRMA Research recently discovered more than 1,718,898 Apache Struts 2 installations are open to RCE (Remote code execution) attacks.

Global statistics (Source – Cyfirma)

The RCE flaw was tracked as “CVE-2023-50164” by security analysts, and this flaw enables threat actors to perform remote code execution and file upload attacks.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Flaw profile

  • Vulnerability Type: Unauthenticated Remote Code Execution (RCE) via Apache Struts File Upload
  • CVE ID: CVE-2023-50164
  • CVSS Severity Score: 9.8 (Critical)
  • Application: Apache Struts 2
  • Impact: Allows unauthenticated attackers to execute arbitrary code by exploiting a file upload vulnerability
  • Severity: Critical
  • Affected Versions: Multiple versions of Apache Struts 2 are impacted; refer to the link
  • Patch Available: Yes

Technical analysis

Apache Struts 2 faces a major threat with CVE-2023-50164, which lets attackers execute code and upload malicious files.

CYFIRMA researchers exposed the flaw’s severity and tied it to a file upload weakness in the framework, posing serious security risks.

Exploiting this critical RCE vulnerability endangers system integrity and confidentiality and opens doors to data breaches. 

Security experts highlight the exploit’s reliance on HTTP parameter case sensitivity that enables the threat actors to manipulate the variables that are critical in nature.

However, the Apache team responds strategically to a vulnerability by introducing equalsIgnoreCase() method, countering case sensitivity manipulation in recent commits. 

The enhancement aims to strengthen the Apache Struts against parameter pollution leading to path traversal exploits. The vulnerability in AbstractMultiPartRequest.java allows the persistence of path traversal payloads. 

The concerns also involve handling of the oversized temporary files during uploads which could pose a serious persistence threat.

Apache introduced a crucial commitment to counter the risks, ‘Always delete uploaded file,’ this ensures consistent removal of temporary files and also blocks the avenues for persistent attacks. 

The commitment reflects proactive measures to address security concerns. Besides this, the recent code changes also affirm Apache’s commitment to enhancing framework security.

Apply Apache Struts 2 updates as soon as possible to mitigate the “CVE-2023-50164” flaw. Boost defense with custom rules, file upload monitoring, and improved firewall settings. Make sure to act promptly to stop any unauthorized access and code execution.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.