Critical RCE vulnerability discovered in Apache Struts 2: recommendations and fixes

Recently, attackers have targeted Apache Struts 2 installations exposed on the internet, which are vulnerable due to a newly disclosed Remote Code Execution (RCE) flaw. The vulnerability in question, identified as CVE-2023-50164 and with a CVSS score of 9.8, was revealed a week ago. The Apache Software Foundation has provided the corrective patches, urging users to apply them without delay.

Technical details of the vulnerability

The critical flaw lies in Struts' file upload logic: specifically, it could allow an attacker to perform a path traversal attack. This becomes possible when the attacker uploads a malicious file, resulting in an RCE. The flaw exists when you mishandle file upload parameters, allowing you to override an internal file name variable through the manipulation of case-insensitively addressed HTTP parameters, as explained by cybersecurity company Trend Micro.

Impact and method of attack

When loading a file, Struts generates a temporary file that is deleted after the data is written to the assigned path. However, if the temporary file exceeds a certain size, it is not deleted. Attackers exploit this behavior by checking the name of the temporary file to load a malicious payload. Once Struts processes HTTP request arguments, and they contain path traversal characters, security is bypassed.

Recommendations and protection

Security researchers from Trend Micro and other institutions such as Akamai, Malwarebytes, and the Shadowserver Foundation have observed attempts to exploit the flaw. However, it is noted that the large-scale attack is complex due to the difficulties of scanning and exploitation compared to previous vulnerabilities. Struts users are advised to update to a fixed version as soon as possible, as the flaw affects versions 2.0.0 to 2.3.37 (no longer supported), 2.5.0 to 2.5.32, and 6.0 .0 to 6.3.0. Corrective updates are available with Struts versions 2.5.33 and 6.3.0.2.