Yet another remote code execution vulnerability in Apache's Struts2 Framework has been discovered, leaving many with strong feelings of Deja Vu. If you're a developer, it's not unreasonable to be concerned about how you may spend the final weeks of 2023.
Unfortunately, the recent identification of CVE-2023-50164 in Apache Struts is quite similar to other vulnerabilities we've seen in the past, most notably the high-profile cybersecurity Struts2 vulnerability in 2017 that impacted Equifax, Log4Shell (Log4j), which came at the end of 2021, and Spring4Shell that followed shortly after.
Note: Sonatype customers using Sonatype Repository Firewall and Sonatype Lifecycle are protected from this issue. Sonatype security research conducted a deep dive analysis into the issue as it surfaced.
At its core, this vulnerability allows attackers to exploit a flaw in Apache Struts' file upload system. It lets them manipulate the file upload parameters and perform path traversal. This exploitation can result in arbitrary code execution on the server, leading to various outcomes like unauthorized data access, system compromise, or even complete control over the affected systems, including placing malicious files within systems.
Taking a closer look, CVE-2023-50164 involves a vulnerability in the file upload mechanism of Apache Struts. For a non-technical audience, imagine a scenario where a security checkpoint (the file upload mechanism) is bypassed due to a loophole, allowing unauthorized access to secure areas (the server). From a technical perspective, the vulnerability lies in how Apache Struts handles a component called MultiPartRequestWrapper during file uploads. Attackers can manipulate this process to achieve path traversal, which allows them to overwrite arbitrary files, which may lead to executing arbitrary code on the server, config changes, etc.
The discovery of CVE-2023-50164 has significant real-world implications. For various sectors relying on Apache Struts, the risks range from data breaches and operational disruptions to financial losses. For instance, a successful attack could lead to compromised customer data in financial services or exposed patient records in healthcare settings.
As we have discussed, hackers move quickly and sometimes before public disclosure (0 days). This vulnerability follows a similar pattern with rapid development and release of exploits following its discovery. There is evidence that Proof of Concept (PoC) exploits were identified and reported in the wild very soon after the vulnerability was disclosed. This expedited timeline significantly increases the risk associated with the vulnerability, leaving a much shorter period for system administrators and IT teams to react and secure their systems.
Finally, in many ways, the concerns related to a short timeline for action are compounded by the nature of this particular vulnerability. Because the flaw allows attackers to manipulate and overwrite arbitrary files, this opens up numerous avenues for attacks, which might take time for adversaries to execute. The potential for various attack vectors is substantial, and the ability to predict how an attacker may leverage this is very low. Given this, organizations must act quickly, as there is little to no window to patch systems and mitigate the vulnerability before it can be actively exploited.
The implications of CVE-2023-50164 bear a striking resemblance to those of the Log4j vulnerability, Log4Shell, in terms of impact and the broad array of systems affected. While this vulnerability is not as easy to exploit as Log4Shell, there are already examples of the exploit reported. More notably, it echoes the Struts2 vulnerability exploited in the Equifax breach in 2017.
Of particular concern to security researchers is the widespread adoption of Apache Struts in various industries underscores the potential global impact of CVE-2023-50164. From financial services to healthcare and government agencies, the ramifications of this vulnerability could be extensive, leading to significant data breaches, operational disruptions, and considerable financial losses.
The threat is exacerbated by the often unknown or unmonitored use of Apache Struts in many organizations' software infrastructures. This similarity is a stark reminder of the potential for significant data breaches and the extensive damage they can cause, both financially and in terms of consumer trust.
Mitigating the risk posed by CVE-2023-50164 requires immediate and strategic action. Key steps include updating Apache Struts to the latest, patched version to address this vulnerability. Organizations are also urged to conduct thorough audits to identify any vulnerable components within their systems. However, depending on your organizational role, there are several best practices for mitigating vulnerabilities we recommend.
Risk assessment and resource allocation: Understand the seriousness of CVE-2023-50164 and allocate appropriate resources for immediate response. This includes funding for necessary security tools and personnel.
Communication strategy: Develop a clear communication plan to inform relevant stakeholders, including IT teams, of the urgency to address this vulnerability. Transparency is key in managing potential risks and reassuring customers and partners.
Policy review and update: Ensure that your organization's cybersecurity policies are up to date and robust enough to handle such vulnerabilities. This may involve reviewing incident response plans and updating protocols for emergency patching.
Training and awareness: If you haven't already, start investing in cybersecurity training and awareness programs for employees. Understanding the basics of such vulnerabilities can foster a culture of security mindfulness across the organization.
Vulnerability scanning and identification: Use security tools to scan your applications for instances of CVE-2023-50164. Prioritize applications that are externally accessible and contain sensitive data.
Patch management: Coordinate with IT teams to ensure that all instances of Apache Struts are updated to a version that patches CVE-2023-50164. Establish a schedule for regular updates and patches moving forward.
Incident response preparedness: Have an incident response plan specifically for scenarios like CVE-2023-50164. This includes having a response team ready, with defined roles and communication channels.
Monitoring and threat intelligence: Keep abreast of the latest threat intelligence regarding CVE-2023-50164 and potential exploits. Implement continuous monitoring to detect any suspicious activities that may indicate exploitation attempts.
Immediate patching: Update any instance of Apache Struts to the latest version that addresses CVE-2023-50164. For Apache Struts, refer to the official Apache Struts website for specific patch information.
Code review and testing: Review custom code, especially around file upload functionalities, for potential exploitation paths.
Dependency checks: Utilize tools to check for dependencies that may also be vulnerable. Ensure all components of the development stack are evaluated and updated if necessary.
Secure coding practices: Reinforce secure coding practices among the development team. This includes validating and sanitizing input, especially in areas related to file handling and user data processing.
Finally, we want to thank all the security professionals and developers for their continued efforts as they defend organizations and critical infrastructure from potential threats like CVE-2023-50164. If Log4Shell taught us anything, patching is only half the battle.
In fact, for many organizations, most of the time spent addressing this latest vulnerability will be spent trying to identify exactly where this vulnerability is in their portfolio of applications and whether it's exploitable in a specific context. However, hours spent reviewing lines of code isn't the only approach.
First, as this situation evolves, we'll continue to provide the latest updates and guidance from our team of security experts. Equally important, though, is that by leveraging Sonatype's solutions, organizations can proactively respond to this vulnerability and any others with automated detection, real-time alerts, and comprehensive remediation guidance. This means you can focus development time on correcting vulnerable applications and not searching through lines of code.
Good luck, teams!
Further reading: