CVE-2023-50164: Apache Struts Path Traversal Vulnerability
December 31, 2023
Threat actors began attempting to exploit CVE-2023-50164, a critical-severity remote code execution (RCE) vulnerability affecting Apache Struts, an open-source framework used to develop Java Web applications, on December 13, 2023.
Background:
According to current intelligence, the threat actors are using a publicly available proof of concept (PoC) vulnerability. CVE-2023-50164 has a CVSS score of 9.8 because it allows a remote threat actor to change file upload parameters to enable path traversal, allowing the threat actor to upload a malicious file to perform RCE. Apache patched this vulnerability in the most recent Struts versions, which were released on December 7th. Apache Struts is a framework that is frequently utilized in other enterprise applications, and each vendor has to fix the vulnerability. As evidenced by the fact that multiple RCE vulnerabilities affecting Apache Struts are listed in CISA’s Known Exploited Vulnerabilities Catalog, Apache Struts has been a popular target for threat actors. Due to the publicly available PoC exploit and ease of exploitation, we anticipate a surge in threat actors targeting this vulnerability in the near future.CVE-2023-50164:
The CVE-2023-50164 vulnerability was discovered in Apache Struts 2, an open-source framework for developing and building Java EE web applications. Because Apache Struts 2 is widely used in commercial and open-source projects, this significant vulnerability is a concern across industries, particularly in government, healthcare, and finance. If exploited, CVE-2023-50164 could result in an RCE due to a path traversal bug. The issue is in how Apache Struts 2 processes file uploads to the /upload.action endpoint. It involves a difference in how parameters are handled based on case sensitivity. For instance, the vulnerability perceives param1=”value1″ and Param1=”Value1″ as distinct because of the case-sensitive characteristics of HTTP parameters. Upon scrutinizing the latest commits by the Apache team, it’s evident that they have modified the HTTP parameters to be case-insensitive. As a result, an attacker can efficiently traverse the web server’s directory structure without authorization and upload a malicious file, generally a Java Server Page (JSP) based shell, to unauthorized directories within the system by manipulating a file upload parameter. The attacker can then access the freshly uploaded shell, triggering the execution of the malicious code and gaining complete control of the vulnerable server.Attack Vector:
To execute a successful attack, threat actors must identify a web application utilizing an exploitable version of Apache Struts and identify the specific vulnerable file upload path. Subsequently, a malicious request will be sent by the attacker to the file upload path, embedding a JSP-based webshell, along with a path traversal payload to upload the malicious webshell to an unauthorized location within the system. Once the server receives and validates the request, it saves the malicious webshell in a reachable directory specified by the attacker, providing them access to the recently uploaded malicious webshell. As a result, the attacker can leverage the webshell to execute any desired code, successfully acquiring complete control over the system.Affected Versions:
Product | Affected Version(s) | Fixed Version(s) |
---|---|---|
Apache Struts | Struts 2.0.0 – Struts 2.3.37 (EOL) | Struts 2.5.33 or greater |
Apache Struts | Struts 2.5.0 – Struts 2.5.32 | Struts 2.5.33 or greater |
Apache Struts | Struts 6.0.0 – Struts 6.3.0 | 6.3.0.2 or greater |