Apache Struts has just released an advisory for CVE-2023-50164, a critical vulnerability; currently, it is a perfect 10. The library is integrated into many systems and was previously known for the infamous Equifax breach affecting the organization’s application security program.
Identified as CVE-2023-50164, this flaw exists in the Struts 2 framework’s “file upload logic.” It allows unauthorized path traversal, enabling attackers to upload and execute malicious files remotely.
What is Apache Struts, and what affects CVE-2023-50164?
Apache Struts is an open-source framework used for developing Java EE web applications. It employs the Model-View-Controller (MVC) paradigm, enabling developers to create applications that separate display, logic, and data components. Struts have been pivotal in the development landscape, offering an extensible architecture and a robust set of tools and integrations.
Location and Usage in Web Applications for Apache Struts
Struts are typically located at the core of a web application’s architecture. It interacts with Java Servlets and JavaServer Pages (JSP) to process web requests, render responses, and manage application flow. Struts is widely used across various industries due to its efficiency in building scalable, reliable, and maintainable web applications.
The Impact of Struts Vulnerability CVE-2023-50164:
The impact of vulnerabilities in Struts, especially those leading to remote code execution, is profound. These flaws can allow unauthorized access to web servers, enabling attackers to manipulate or steal sensitive data, disrupt services, or use compromised systems for further attacks. High-profile breaches, like the Equifax incident, underscore the potential damage from exploiting Struts vulnerabilities.
Widespread Use of Apache Struts:
Apache Struts’ popularity is due to its robustness and efficiency in handling complex application requirements. It is used by numerous Fortune 100 companies and government organizations worldwide, making it a critical component in the global web application infrastructure. This widespread use also makes it a target for cyber
How to Remediate
The Apache Struts project urges to perform mitigation to the vulnerability by upgrading to one of the patched versions:
Get in control of your Application Security posture and Vulnerability management
Apache Struts Overview of CVE-2023-50164 and Analysis
Vulnerability Overview: The vulnerability allows an attacker to manipulate file upload parameters to enable path traversal, potentially leading to the uploading of a malicious file for remote code execution.
Affected Versions: It affects Struts versions from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0.
Let’s break down the key points:
- Vulnerability Overview: The vulnerability allows an attacker to manipulate file upload parameters to enable path traversal, potentially leading to the uploading of a malicious file for remote code execution.
- Affected Versions: It affects Struts versions from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0.
- Patch Analysis:
- Two commits are highlighted as particularly relevant:
- “Always delete uploaded file” ensures temporary files are correctly deleted after upload. Before the patch, overly long file upload parameters could leave temporary files on the disk.
- “Makes HttpParameters case-insensitive” changes how the
HttpParameters
class handles parameter names, treating them as case-insensitive.
- Two commits are highlighted as particularly relevant:
- Exploring the Vulnerability:
- The
FileUploadInterceptor
class in Struts adds file upload-related parameters toHttpParameters
. This process is key to understanding the vulnerability. - By making
HttpParameters
case-insensitive, it’s possible to overwrite parameters by using different cases (e.g., ‘upload’ vs. ‘Upload’). - The article details a request example where different case parameters lead to only one being executed due to reflective method invocation based on parameter names.
- The
- Parameter Pollution and Directory Traversal:
- The vulnerability can be exploited by overriding parameters in the Action class through setter methods.
- By manipulating the
uploadFileName
parameter, attackers can potentially cause directory traversal if the business logic does not perform adequate checks. - The article provides examples of how to construct requests to overwrite the
uploadFileName
, demonstrating potential directory traversal
In essence, the vulnerability lies in how Struts handles file upload parameters, especially concerning the case sensitivity of these parameters. By manipulating these parameters, an attacker can potentially overwrite key variables and execute arbitrary code, emphasizing the need for immediate patching and careful code review. An ASPM solution paired with SCA analysis can help organizations drive and prioritize vulnerability remediation.
Exploitation and analysis of CVE-2023-50164
Currently, there are 4315 servers exposed, with Apache struts servers exposed over the web; there is currently no exploitation activity for this vulnerability nor evidence of exploitation. Nonetheless, as with the previous effect of struts, we recommend caution and a quick update.
EPSS Score for the vulnerability is still low as it was just disclosed (0.00142) further down the week the exploitation got corrected to 0.097990000
Despite being highly popular as the package is in the most common web servers, the vulnerability has been classified.
- Common in enterprise
- Difficult to weaponize,
- Vulnerable in uncommon configuration
Exploitation Attempts for CVE-2023-50164 in Apache Struts
Early exploitation from Shadowserver leads to evidence of some IP addresses involved in exploitation attempts for CVE-2023-50164 vulnerability. There is also evidence of PoC from the original post https://xz.aliyun.com/t/13172 . However, exploitation of this vulnerability will be target-specific based on the differing target action’s endpoints, the naming convention of the expected uploaded file name, and any other target-specific restrictions that may need to be overcome; hence, the vulnerability exploitation remains low.
References for CVE-2023-50164 in Apache Struts
CVE-2023-50164 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164)
Exploit
https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE
Miscellaneous
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
http://www.openwall.com/lists/oss-security/2023/12/07/1
https://www.openwall.com/lists/oss-security/2023/12/07/1
Technical Analysis (https://xz.aliyun.com/t/13172)
http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html
https://security.netapp.com/advisory/ntap-20231214-0010/
First Supply chain victim of Apache 2 struts vulnerability CVE-2023-50164
Cisco, a leading player in the tech industry, has issued a critical security advisory highlighting its investigation into the impact of the Apache Struts vulnerability on its suite of products. In a security advisory, the company disclosed an ongoing investigation to identify affected products and assess the impact. This probe underlines the far-reaching consequences of the widely-used Apache Struts framework in major tech infrastructures. Particularly under Cisco’s lens are key solutions like the Cisco Customer Collaboration Platform (formerly known as SocialMiner), Identity Services Engine (ISE), and a range of products in network management, voice, and unified communications sectors.
As the investigation progresses, Cisco is committed to regularly updating its security advisory, promising to provide detailed Cisco bug IDs for each impacted product. These updates will be crucial for users, as they will also offer insights into available patches and potential workarounds, ensuring heightened cybersecurity and resilience against such vulnerabilities. Stay tuned for Cisco’s crucial updates to safeguard your network and communication systems.
Patch Analysis for CVE-2023-50164
- Two commits are highlighted as particularly relevant:
- “Always delete uploaded file” ensures temporary files are correctly deleted after upload. Before the patch, overly long file upload parameters could leave temporary files on the disk.
- “Makes HttpParameters case-insensitive” changes how the
HttpParameters
class handles parameter names, treating them as case-insensitive.
Exploring the Vulnerability CVE-2023-50164 in Apache Struts 2
- The
FileUploadInterceptor
class in Struts adds file upload-related parameters toHttpParameters
. This process is key to understanding the vulnerability. - By making
HttpParameters
case-insensitive, it’s possible to overwrite parameters by using different cases (e.g., ‘upload’ vs. ‘Upload’). - The article details a request example where different case parameters lead to only one being executed, due to reflective method invocation based on parameter names.
- Parameter Pollution and Directory Traversal:
- The vulnerability can be exploited by overriding parameters in the Action class through setter methods.
- By manipulating the
uploadFileName
parameter, attackers can potentially cause directory traversal if the business logic does not perform adequate checks. - The article provides examples of how to construct requests to overwrite the
uploadFileName
, demonstrating potential directory traversal.
The Equifax data breach linked to struts.
Equifax in 2017, which resulted from the exploitation of a known vulnerability in the Apache Struts framework. An ASPM and SCA could have helped accelerate the identification of the vulnerable systems. Here are the key points:
- Cause of the Breach: The Equifax data breach, which exposed sensitive data of approximately 143 million people, was caused by exploiting a flaw in the Apache Struts framework. Notably, Apache had already patched this flaw over two months before the breach occurred.
- Vulnerability Details: The specific vulnerability exploited in the Equifax breach was identified as CVE-2017-5638 in Apache Struts2. This was a critical vulnerability with a maximum score of 10.0. Apache had disclosed and fixed this vulnerability on March 6 by releasing Apache Struts version 2.3.32 or 2.5.10.1.
- Nature of the Flaw: CVE-2017-5638 was a remote code execution bug located in the Jakarta Multipart parser of Apache Struts2. It allowed attackers to execute malicious commands on the server during file uploads. The vulnerability could be exploited by sending a specially crafted request with a malicious ‘Content-Type’ value.
- Delayed Patching: Despite the availability of patches and evidence that the flaw was already being exploited actively by hackers, Equifax failed to update its web applications against this flaw, leading to the data breach.
- Equifax’s Response: After the breach, Equifax conducted an intense investigation with the aid of a cybersecurity firm to determine the scope of the intrusion and the information accessed. They confirmed that the breach exploited the Apache Struts CVE-2017-5638 vulnerability and continued to work with law enforcement on the criminal investigation.
- Widespread Use of Apache Struts: Apache Struts is a popular open-source MVC framework for Java web applications, used by many Fortune 100 companies. The widespread use of this framework meant that the vulnerability had a significant potential impact across various industries.
- Follow-Up Measures: Following the breach, Equifax offered free credit-monitoring and identity theft protection services to affected individuals. They also implemented a security freeze for accessing personal information and updated their PIN generation method for added security.
How Phoenix Security Can Help
Phoenix Security ASPM helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and cloud. One of the significant challenges in securing applications is knowing where and how frameworks like Struts are used. ASPM tools can scan the application portfolio to identify instances of Struts, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring that teams can address the most pressing threats first, optimising resource allocation and remediation efforts.
The Role of Application Security Posture Management (ASPM):
ASPM is vital in managing and securing applications like those built with Apache Struts. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:
- Identify and Track Struts Components: Locate where Struts is implemented within the application infrastructure.
- Vulnerability Management: Detect known vulnerabilities in Struts and prioritize them for remediation.
- Configuration Monitoring: Ensure Struts configurations adhere to best security practices.
- Compliance: Check if the usage of Struts aligns with relevant cybersecurity regulations and standards.
By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.
Get in control of your Application Security posture and Vulnerability management
Previous Issues of Vulnerability Weekly
- Apache Active MQ
- Atlassian Critical Vulnerability Exploited by nation-state CVE-2023-22515
- Critical vulnerability F5
- How to update curl and libcurl without panic fixing
- Critical Vulnerabilities in Atlassian Confluence: Zero-Day
- Detect & Mitigate HTTP/2: Rapid Reset Vulnerabilities
- Understanding the libcue Vulnerability CVE-2023
- Understanding and fixing Curl and libcurl
- MOVEit Transfer breach, Zellis compromise CVE-2023-34362
Other Useful resources
Data Visualization of vulnerabilities in the wild
- CISA KEV: https://phoenix.security/what-is-cisa-kev-main/
- Exploit in the wild: https://phoenix.security/what-is-exploitability/
- OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
- CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/