Another year, another Apache Struts 2 vulnerability that can lead to a major data breach. You may remember Apache Struts 2 from previous security alerts, like CVE-2017-5638, CVE-2020-17530, and CVE-2021-31805. When threat actors can find a vulnerability in the open-source web application framework, they immediately seek to create exploits. Typically, developers use the model-view-control (MVC) framework to build user interfaces for Java-based web applications.
Whether you love or hate Struts 2, the newly identified vulnerability, CVE-2023-50164, has the potential to wreak havoc on your life unless you know what to look for and how attackers are using the vulnerability.
An Overview of CVE-2023-50164
Originally published on December 7, 2023, the National Vulnerability Database updated its entry on December 14th.
The affected versions are:
- Apache Struts 2.0.0 – 2.5.33
- Apache Struts 6.0.0 -6.3.0.2
What attackers can do with the vulnerability:
- Manipulate file load parameters as part of path traversal
- Upload malicious files to perform RCE
The CVE listing links to CWE-552 Files or Directories Accessible to External Parties.
Essentially, attackers can place malicious code into uploaded file content into directories or other locations that should require authorization for access. When remotely executed by the attacker, the malicious code enables them to bypass server-side security mechanisms.
Understanding Exploits
Since the announcement, two different security research teams have published explanations showing how attackers can exploit the vulnerability.
Steps in an Attack
The typical attack pattern would follow these general steps:
- Reconnaissance to identify website or web application using the vulnerable Apache Struts version
- Creation of malicious file
- Creation of file upload file request containing path traversal command that manipulates parameters by including file name and path
- Uploading request to vulnerable server
- Accessing uploaded malicious file through browser or script
- Performing additional actions
Observed exploitation attempts
The researchers at TrendMicro provide some insight about how attackers can use the vulnerability, explaining that attackers can manipulate the parameters by changing values to upper or lower case, like swapping param1=”value1″ to Param1=”Value1″. This simple shift from lowercase to uppercase then overrides the internal file name variable.
The researchers at Akamai identified several exploitation attempts that match the initial Proof of Concept (PoC) and deviate from it. While the researchers explain that the attempts are present in the wild, they note that those similar to the PoC exploit would require the targeted endpoint to possess file upload functionality, making it unlikely that the attackers would succeed.
The researchers identified variants on the initial PoC that target the /s2/upload.action rather than the original /login.action. Again, the endpoints would need to have file upload functionality for the attackers to be successful.
Steps for Mitigating Apache Struts 2 Exploit Risks
For developers, the primary risk that this vulnerability poses lies in the framework’s popularity rather than ease of exploitation. To undermine security, the application needs to:
- Use a vulnerable Struts version
- Allow for multipart file uploads
Identify Vulnerable Apache Struts Versions
Your first step to mitigating risk is to identify all vulnerable versions of Apache Struts across your application and its dependencies. If you generate a reliable Software Bill of Materials (SBOM) that identifies all open source libraries and all CVEs, you can focus on only those containing a vulnerable Apache Struts version.
Prioritize Based on Exploitability
Your application may use or have a component that uses a vulnerable version of Apache Struts. However, for attackers to leverage the vulnerability, your application needs to meet two specific requirements. Your vulnerability scanning should incorporate:
- Real world threat information
- Details about how attackers are exploiting this vulnerability in the wild
- Insight into whether attackers can use the vulnerability within your source code’s unique context
Apply Patches
If you identify a vulnerable Apache Struts 2 version, you should update the affected system to either:
- 2.5.33
- 6.3.0.2 or greater
Enumerate Components that Access User Input
As a best practice, you want to ensure that you check:
- HTTP GET and POST queries
- File uploads and HTML forms
- Request parameters that could be used for file-related operations
- Variable names that attackers might find interesting
- Cookies that attackers could identify when the application generates pages or templates
Validate Inputs
Input validation means that you’re making sure the software component only accepts appropriately formatted data. Essentially, with CVE-2023-50164, the application accepts the parameters as either uppercase or lowercase, but the difference between them allows attackers to change how the program functions.
By validating inputs, you ensure that the application only accepts the format that you want. This way, attackers can’t simply swap uppercase for lowercase to execute the attack.
QwietAI: Mitigate Risk by Identifying Apache Struts 2 Vulnerabilities
Quiet AI’s preZero platform enables you to identify and remediate your application’s most critical and impactful vulnerabilities. Our proprietary Code Property Graph (CPG) breaks code down into its fundamental parts while correlating them with data flows so that you can identify the vulnerabilities attackers are most capable of exploiting within your source code’s context. With Qwiet Blacklight, the only threat intelligence feed focused on application security, you gain visibility into real-world attacks actively targeting vulnerabilities, enabling you to enhance your prioritization strategies.
Try Qwiet AI’s preZero platform for free to see how it can help you mitigate JavaScript vulnerabilities and speed time-to-market.