On December 7th, 2023, the Apache Struts project disclosed a significant vulnerability, CVE-2023-50164, in its Struts 2 open-source web framework. Rated at a critical CVSS score of 9.8, this flaw resides within the framework’s file upload logic.
Exploiting this vulnerability empowers attackers to manipulate upload parameters, potentially leading to arbitrary file upload and, under specific conditions, code execution.
The popularity of Apache Struts in handling complex application requirements has made it a critical component in the global web application infrastructure.
Used by numerous Fortune 100 companies and government organizations worldwide, its widespread adoption also makes it a prime target for cyber-attacks.
The disclosed vulnerability CVE-2023-50164 affects the Struts 2 framework’s file upload logic, allowing unauthorized path traversal. This could result in remote code execution, posing a severe threat. Depending on user privileges, an attacker could install programs and view, change, or delete data, with potential impacts varying based on the user’s rights.
The issue lies in the differing treatment of parameters based on case sensitivity. For instance, the vulnerability distinguishes between param1=”value1″ and Param1=”Value1″ due to case-sensitive HTTP parameters. Recent Apache commits indicate a shift to case-insensitive HTTP parameters.
The vulnerability in Apache Struts stems from parameter pollution. Here, attackers can manipulate requests by altering the original parameter and introducing an additional lowercase parameter. This lowercase parameter may override an internal file name variable, resulting in system exploitation.
Severity: Critical
CVSSv3.1: Base Score:9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSSv2: Base Score: 10.0 CRITICAL
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploit available in public: Yes
Exploit complexity: Low
Struts 2.0.0 through 2.3.37 (EOL), 2.5.0 through 2.5.32, and 6.0.0 through 6.3.0 are susceptible to the identified vulnerability. The vulnerability (CVE-2023-50164) was successfully addressed and patched.
AppTrana WAAP doesn’t just manage vulnerabilities but takes proactive measures to preempt their exploitation through its risk-based approach.
AppTrana’s vulnerability management system prioritizes critical vulnerabilities, empowering teams first to address the most imminent threats. This strategic approach optimizes resource allocation and enhances remediation efforts, ensuring a swift and effective response to potential risks.
AppTrana’s built-in DAST scanner identifies and tracks system vulnerabilities. It highlights instances of Struts, mapping its deployment across the organization. This data is vital for targeted security measures and streamlined patch management.
Beyond vendor-provided patches, Indusface’s managed security team has developed the following custom security rule (virtual patching) to generate alerts related to Apache Struts and promptly block any attempt to exploit the vulnerability.
Rule ID | Name |
302 | LFI Attacks |
This virtual patch is deployed within 24 hours from the Proof of Concept (POC) publication, providing day-zero protection for all AppTrana customers.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on January 22, 2024 12:00
A Managed WAF is a comprehensive cybersecurity service offered by specialized providers to oversee, optimize,… Read More
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More