A newly discovered critical security flaw in Apache Struts 2, a widely used open-source web application framework, has spurred an urgent call for users to patch their systems. The flaw, CVE-2023-50164, poses a severe risk of remote code execution (RCE).
New Apache Struts 2 RCE Vulnerability Discovered
Recently, Apache has issued a security advisory highlighting this critical vulnerability in the Struts 2 framework, which could lead to remote code execution. The vulnerability stems from defective file upload logic, potentially allowing unauthorized path traversal. Under certain conditions, this flaw can be exploited to upload and execute arbitrary code.
Struts 2, employing the Model-View-Controller (MVC) architecture, is a Java framework extensively used in building enterprise-level web applications. While there are no reports of active exploitation of this vulnerability, the history of Apache Struts vulnerabilities, such as CVE-2017-5638 (CVSS score: 10.0), which was used in the notorious Equifax breach in 2017, underscores the importance of proactive security measures.
Affected Struts 2 Versions
The vulnerability affects the following versions of Apache Struts 2.3.37 (End of Life), 2.5.0 to 2.5.32 and Struts 6.0.0 to 6.3.0. Apache released patches in Struts versions 2.5.33 and 6.3.0.2 or later to address this issue. The developer does not offer any workarounds to mitigate the issue, so applying the patch update as soon as possible is crucial. The project maintainers strongly recommend developers implement the update, and they have stated that “This is a drop-in replacement, and upgrade should be straightforward”. This update is necessary to protect systems from potential exploits.
Preventive measures and recommendations
- Assess and Update. As I’ve said many times before, the updates contain essential fixes. Postponing or ignoring them jeopardizes the entire target network. So, evaluate their current version of Apache Struts and apply the necessary patches.
- Stay Informed. I recommend continuously monitoring official channels for updates or additional information. Keeping yourself informed will allow you to take necessary precautions and mitigate any potential risks associated with the vulnerability.
- Logging and Monitoring. Implement a comprehensive logging system to capture all application activity and user actions. Also, implement log analysis tools to identify suspicious activity and potential security incidents.
- Penetration Testing. Regularly perform vulnerability scans and penetration testing to identify and address security vulnerabilities and weaknesses. This will help not only to enhance software security, but also to pick a secure network architecture and hardware options.
Since Apache Struts 2 is integral to numerous enterprise web applications, it makes this vulnerability particularly concerning. The potential for unauthorized remote code execution could lead to significant data breaches and disruptions in critical services. In light of this development, Apache Struts 2 users are urged to:
