The US CISA is cautious about the Apache Struts vulnerability that could enable malicious actors to potentially exploit this vulnerability remotely, gaining control over the targeted system. The agency strongly advises administrators and users to promptly implement the required measures to mitigate this risk.
CVE-2023-50164 is a critical vulnerability with a CVSS score of 9.8, impacting Apache Struts – a widely used, free, open-source MVC framework for the development of modern Java web applications
Exploiting this vulnerability in Apache Struts enables an attacker to manipulate file upload parameters, facilitating paths traversal under specific circumstances. This manipulation opens the door to uploading a malicious file, potentially leading to RCE.
The vulnerability affects the following versions of Apache Struts:
- Struts 2.0.0 – Struts 2.3.37 (has reached End-of-Life)
- Struts 2.5.0 – Struts 2.5.32
- Struts 6.0.0 – Struts 6.3.0
Shadowserver has identified some IP addresses involved in exploitation attempts, aiming to capitalize on the CVE-2023-50164 vulnerability.
Threat actors are leveraging a publicly available PoC exploit code in their attempts related to CVE-2023-50164. However, it is uncertain whether any of these attempts have been successful.
The PoC author proposes two mitigation strategies, in addition to patching the vulnerability:
- Refrain from exposing unauthorized file upload paths.
- Integrate an interceptor at the file upload location for validation.
Cisco has raised concerns about potential impacts on its products that utilize the Apache Struts. Cisco disclosed an ongoing investigation to identify affected products and assess the impact.
Among the products currently under scrutiny are Cisco Customer Collaboration Platform, Identity Services Engine (ISE), and various other products related to network management, as well as voice and unified communications devices.
Cisco intends to update its advisory with the outcomes of the investigation, providing specific Cisco bug IDs for each affected product. The updates will also include information on available workarounds and patches.
Apache has made the patch for CVE-2023-50164 available on December 7. To fortify against potential exploitation attempts, users are strongly recommended to upgrade to Struts 2.5.33 or Struts 6.3.0.2, or later versions.
