blog

How Dangerous is CVE-2023-50164 and how to fix Apache Struts2 Remote Code execution Critical Vulnerability

Application Security, Struts, Apache, Remote Code Execution, Cybersecurity, ASPM CVE-2017-5638, CVE-2023-50164


Application Security, Struts, Apache, Remote Code Execution, Cybersecurity, CVE-2017-5638, CVE-2023-50164
How to fix Apache Struts Perfect 10, now 9.8 Application Security, Struts, Apache, Remote Code Execution, Cybersecurity, ASPM CVE-2017-5638, CVE-2023-50164

Apache Struts has just released an advisory for CVE-2023-50164, a critical vulnerability; currently, it is a perfect 10. The library is integrated into many systems and was previously known for the infamous Equifax breach affecting the organization’s application security program.

Identified as CVE-2023-50164, this flaw exists in the Struts 2 framework’s “file upload logic.” It allows unauthorized path traversal, enabling attackers to upload and execute malicious files remotely.

What is Apache Struts, and what affects CVE-2023-50164?

Apache Struts is an open-source framework used for developing Java EE web applications. It employs the Model-View-Controller (MVC) paradigm, enabling developers to create applications that separate display, logic, and data components. Struts have been pivotal in the development landscape, offering an extensible architecture and a robust set of tools and integrations.

Location and Usage in Web Applications for Apache Struts

Struts are typically located at the core of a web application’s architecture. It interacts with Java Servlets and JavaServer Pages (JSP) to process web requests, render responses, and manage application flow. Struts is widely used across various industries due to its efficiency in building scalable, reliable, and maintainable web applications.

The Impact of Struts Vulnerability CVE-2023-50164:

The impact of vulnerabilities in Struts, especially those leading to remote code execution, is profound. These flaws can allow unauthorized access to web servers, enabling attackers to manipulate or steal sensitive data, disrupt services, or use compromised systems for further attacks. High-profile breaches, like the Equifax incident, underscore the potential damage from exploiting Struts vulnerabilities.

Widespread Use of Apache Struts:

Apache Struts’ popularity is due to its robustness and efficiency in handling complex application requirements. It is used by numerous Fortune 100 companies and government organizations worldwide, making it a critical component in the global web application infrastructure. This widespread use also makes it a target for cyber

How to Remediate

The Apache Struts project urges to perform mitigation to the vulnerability by upgrading to one of the patched versions

  1. Apache Struts 2.5.33 
  2. Apache Struts 6.3.0.2 or later 

Get an overview of your asset lineage

Apache Struts Overview of CVE-2023-50164 and Analysis

Vulnerability Overview: The vulnerability allows an attacker to manipulate file upload parameters to enable path traversal, potentially leading to the uploading of a malicious file for remote code execution.

Affected Versions: It affects Struts versions from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0.
Let’s break down the key points:

  1. Vulnerability Overview: The vulnerability allows an attacker to manipulate file upload parameters to enable path traversal, potentially leading to the uploading of a malicious file for remote code execution.
  2. Affected Versions: It affects Struts versions from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0.
  3. Patch Analysis:
    • Two commits are highlighted as particularly relevant:
      • “Always delete uploaded file” ensures temporary files are correctly deleted after upload. Before the patch, overly long file upload parameters could leave temporary files on the disk.
      • “Makes HttpParameters case-insensitive” changes how the HttpParameters class handles parameter names, treating them as case-insensitive.
  4. Exploring the Vulnerability:
    • The FileUploadInterceptor class in Struts adds file upload-related parameters to HttpParameters. This process is key to understanding the vulnerability.
    • By making HttpParameters case-insensitive, it’s possible to overwrite parameters by using different cases (e.g., ‘upload’ vs. ‘Upload’).
    • The article details a request example where different case parameters lead to only one being executed due to reflective method invocation based on parameter names.
  5. Parameter Pollution and Directory Traversal:
    • The vulnerability can be exploited by overriding parameters in the Action class through setter methods.
    • By manipulating the uploadFileName parameter, attackers can potentially cause directory traversal if the business logic does not perform adequate checks.
    • The article provides examples of how to construct requests to overwrite the uploadFileName, demonstrating potential directory traversal

In essence, the vulnerability lies in how Struts handles file upload parameters, especially concerning the case sensitivity of these parameters. By manipulating these parameters, an attacker can potentially overwrite key variables and execute arbitrary code, emphasizing the need for immediate patching and careful code review. An ASPM solution paired with SCA analysis can help organizations drive and prioritize vulnerability remediation.

Exploitation and analysis of CVE-2023-50164

Struts, Apache, Remote Code Execution,

Currently, there are 4315 servers exposed, with Apache struts servers exposed over the web; there is currently no exploitation activity for this vulnerability nor evidence of exploitation. Nonetheless, as with the previous effect of struts, we recommend caution and a quick update.

EPSS Score for the vulnerability is still low as it was just disclosed (0.00142) further down the week the exploitation got corrected to 0.097990000

Despite being highly popular as the package is in the most common web servers, the vulnerability has been classified.

  • Common in enterprise
  • Difficult to weaponize,
  • Vulnerable in uncommon configuration

Exploitation Attempts for CVE-2023-50164 in Apache Struts

Early exploitation from Shadowserver leads to evidence of some IP addresses involved in exploitation attempts for CVE-2023-50164 vulnerability.  There is also evidence of PoC from the original post https://xz.aliyun.com/t/13172 . However, exploitation of this vulnerability will be target-specific based on the differing target action’s endpoints, the naming convention of the expected uploaded file name, and any other target-specific restrictions that may need to be overcome; hence, the vulnerability exploitation remains low.

Tweet by Shadowserver (X)
Tweet by Shadowserver (X)

References for CVE-2023-50164 in Apache Struts

CVE-2023-50164 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164)

Exploit

https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE

Miscellaneous

https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj

http://www.openwall.com/lists/oss-security/2023/12/07/1

https://www.openwall.com/lists/oss-security/2023/12/07/1

Technical Analysis (https://xz.aliyun.com/t/13172)

http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html

https://security.netapp.com/advisory/ntap-20231214-0010/

First Supply chain victim of Apache 2 struts vulnerability CVE-2023-50164

Cisco, a leading player in the tech industry, has issued a critical security advisory highlighting its investigation into the impact of the Apache Struts vulnerability on its suite of products. In a security advisory, the company disclosed an ongoing investigation to identify affected products and assess the impact. This probe underlines the far-reaching consequences of the widely-used Apache Struts framework in major tech infrastructures. Particularly under Cisco’s lens are key solutions like the Cisco Customer Collaboration Platform (formerly known as SocialMiner), Identity Services Engine (ISE), and a range of products in network management, voice, and unified communications sectors.

As the investigation progresses, Cisco is committed to regularly updating its security advisory, promising to provide detailed Cisco bug IDs for each impacted product. These updates will be crucial for users, as they will also offer insights into available patches and potential workarounds, ensuring heightened cybersecurity and resilience against such vulnerabilities. Stay tuned for Cisco’s crucial updates to safeguard your network and communication systems.

Patch Analysis for CVE-2023-50164

  • Two commits are highlighted as particularly relevant:
    • “Always delete uploaded file” ensures temporary files are correctly deleted after upload. Before the patch, overly long file upload parameters could leave temporary files on the disk.
    • “Makes HttpParameters case-insensitive” changes how the HttpParameters class handles parameter names, treating them as case-insensitive.

Exploring the Vulnerability CVE-2023-50164 in Apache Struts 2

  • The FileUploadInterceptor class in Struts adds file upload-related parameters to HttpParameters. This process is key to understanding the vulnerability.
  • By making HttpParameters case-insensitive, it’s possible to overwrite parameters by using different cases (e.g., ‘upload’ vs. ‘Upload’).
  • The article details a request example where different case parameters lead to only one being executed, due to reflective method invocation based on parameter names.
  1. Parameter Pollution and Directory Traversal:
    • The vulnerability can be exploited by overriding parameters in the Action class through setter methods.
    • By manipulating the uploadFileName parameter, attackers can potentially cause directory traversal if the business logic does not perform adequate checks.
    • The article provides examples of how to construct requests to overwrite the uploadFileName, demonstrating potential directory traversal.

The Equifax data breach linked to struts.

Equifax in 2017, which resulted from the exploitation of a known vulnerability in the Apache Struts framework. An ASPM and SCA could have helped accelerate the identification of the vulnerable systems. Here are the key points:

  • Cause of the Breach: The Equifax data breach, which exposed sensitive data of approximately 143 million people, was caused by exploiting a flaw in the Apache Struts framework. Notably, Apache had already patched this flaw over two months before the breach occurred.
  • Vulnerability Details: The specific vulnerability exploited in the Equifax breach was identified as CVE-2017-5638 in Apache Struts2. This was a critical vulnerability with a maximum score of 10.0. Apache had disclosed and fixed this vulnerability on March 6 by releasing Apache Struts version 2.3.32 or 2.5.10.1.
  • Nature of the Flaw: CVE-2017-5638 was a remote code execution bug located in the Jakarta Multipart parser of Apache Struts2. It allowed attackers to execute malicious commands on the server during file uploads. The vulnerability could be exploited by sending a specially crafted request with a malicious ‘Content-Type’ value.
  • Delayed Patching: Despite the availability of patches and evidence that the flaw was already being exploited actively by hackers, Equifax failed to update its web applications against this flaw, leading to the data breach.
  • Equifax’s Response: After the breach, Equifax conducted an intense investigation with the aid of a cybersecurity firm to determine the scope of the intrusion and the information accessed. They confirmed that the breach exploited the Apache Struts CVE-2017-5638 vulnerability and continued to work with law enforcement on the criminal investigation.
  • Widespread Use of Apache Struts: Apache Struts is a popular open-source MVC framework for Java web applications, used by many Fortune 100 companies. The widespread use of this framework meant that the vulnerability had a significant potential impact across various industries.
  • Follow-Up Measures: Following the breach, Equifax offered free credit-monitoring and identity theft protection services to affected individuals. They also implemented a security freeze for accessing personal information and updated their PIN generation method for added security.

How Phoenix Security Can Help

attack graph, phoenix security

Phoenix Security ASPM helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and cloud. One of the significant challenges in securing applications is knowing where and how frameworks like Struts are used. ASPM tools can scan the application portfolio to identify instances of Struts, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring that teams can address the most pressing threats first, optimising resource allocation and remediation efforts.

Phoenix Security, Struts, Apache, Remote Code Execution, Cybersecurity, ASPM CVE-2017-5638, CVE-2023-50164

The Role of Application Security Posture Management (ASPM):

ASPM is vital in managing and securing applications like those built with Apache Struts. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:

  1. Identify and Track Struts Components: Locate where Struts is implemented within the application infrastructure.
  2. Vulnerability Management: Detect known vulnerabilities in Struts and prioritize them for remediation.
  3. Configuration Monitoring: Ensure Struts configurations adhere to best security practices.
  4. Compliance: Check if the usage of Struts aligns with relevant cybersecurity regulations and standards.
Phoenix Security, Struts, Apache, Remote Code Execution, Cybersecurity, ASPM CVE-2017-5638, CVE-2023-50164, phoenix security

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get an overview of your asset lineage

Previous Issues of Vulnerability Weekly


Other Useful resources

Data Visualization of vulnerabilities in the wild


Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.