You can now find Cyber Kendra on Google News!

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Update Now

RCE in Apache Struts 2

Apache has disclosed a critical remote code execution (RCE) vulnerability, tracked as CVE-2023-50164, affecting multiple versions of its popular Java web application framework, Apache Struts 2. The vulnerability allows attackers to achieve arbitrary code execution by uploading malicious files due to a flaw in the file upload logic of Struts 2.

The vulnerable versions of Struts 2 include:

  • Struts 2.3.37 (EOL)
  • Struts 2.5.0 - Struts 2.5.32
  • Struts 6.0.0 - Struts 6.3.0

The vulnerability was discovered and reported by security researcher Steven Seeley of Source Incite.

According to Apache's advisory, the vulnerability is caused by a flawed file upload logic in Struts 2 that could enable unauthorized path traversal on the server. Attackers could exploit this to upload malicious files and achieve remote code execution on the server.

The advisory has rated the severity of this vulnerability as critical, which highlights the urgent need to patch Struts 2 installations.

Patches Released - Update Instances Immediately

Apache has released Struts 2 version 2.5.33 and 6.3.0.2 to address this vulnerability.

All administrators and developers using vulnerable Struts 2 releases are strongly advised to upgrade their installations to the latest patched versions immediately. According to the advisory, the upgrade process should be straightforward as the patched releases are drop-in replacements.

Risks and Potential Impact

Considering that this flaw enables arbitrary remote code execution, it poses a serious risk to the security of web applications built using Struts 2.

If successfully exploited, this vulnerability could allow attackers to compromise affected servers and networks, carry out denial-of-service attacks, steal sensitive data, or use compromised systems for malware distribution and other cyber attacks.

While there is currently no evidence of active exploitation in the wild, the risks should not be taken lightly, given Struts 2's wide usage across enterprises and websites.

Prior Critical Vulnerabilities in Struts 2

This is not the first critical remote code execution vulnerability found in Apache Struts 2.

In 2017, a similarly severe vulnerability called Struts-shock (CVE-2017-5638) was actively exploited to breach credit rating agency Equifax, exposing the highly sensitive personal information of nearly 150 million people.

Struts-Shock is a Remote Code Execution (RCE) vulnerability, also referred to as command injection. A command injection vulnerability allows an attacker to send HTTP requests to an impacted web application, and execute commands of their choosing on the server.

Considering Struts 2's history with critical vulnerabilities and real-world attacks leveraging them, patching this latest vulnerability needs to be an utmost priority for website operators and developers using the platform.

Post a Comment