The days when the good guys can take a security break during the December Holidays are over. Plan and expect issues that require teams to come in and mitigate/minimize risk to be the “new normal” for the holidays. This year, researcher Steven Seeley discovered a way to abuse the popular Apache Struts frameworks’ file upload functionality to achieve remote code execution. Steven disclosed this to the community, which triggered the appropriate proactive response (see the Apache Security Advisory). Organizations have been tracking this as CVSS 9.8 RCE – which has a high exploit risk.
It was a matter of time before someone created and published a PoC exploit code for Apache Struts CVE-2023-50164. That time is NOW!
Shadowserver is picking up the use of the PoC exploit code in their HoneyNets. Expect to see active exploitation later this week.
What is this Apache Struts 2 Risk?
Apache Struts is a free, open-source framework for creating Java web applications. It is used in a wide range of systems. The Apache Struts is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building to deploying to maintaining applications over time.
This code is most likely over your systems, product, and device architectures. If you need an example, look at Cisco Systems Security Advisory over time as they find all the products with Apache Struts: Apache Struts Vulnerability Affecting Cisco Products.
The vulnerability allows an attacker to manipulate file upload parameters to enable path traversal, potentially leading to the uploading of a malicious file for remote code execution.
CVE-2023-50164 is a critical vulnerability in the Apache Struts 2 framework. It allows attackers to manipulate file upload parameters to enable path traversal. This could lead to uploading a malicious file for remote code execution. The vulnerability was disclosed on December 7, 2023. It has been assigned a 9.8 CVSS score. The Apache Software Foundation has released security updates to address the vulnerability.
What do you do now?
Sit down with your teams now. Pull up all your SBOMs and HBOMs. Look for Apache Struts. Evaluate your risk. Then, talk to your vendors. Ask them for their list of Apache Struts risks. You can use a tool like Meaningful Security Conversations with your Vendors to guide conversations with vendors, supply chain, and others.
You can see that with Cisco System’s evolving security advisory, Apache Struts has the potential to show up in unexpected areas of your architecture. Cisco’s work can be an indicator for the industry of the breadth of CVE-2023-50164 risk. If Cisco continues to add to its list, it means its SBOM, HBOM, and product security research are finding more areas where Apache Struts is used.
Do your risk assessment and research. Apache Struts in a device does not mean the element is at risk. For example, if you are using CVSS 3.X, complete the scoring for each element where Apache Struts is used.