New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164)

The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution (CVE-2023-50164).

About CVE-2023-50164

CVE-2023-50164 may allow an attacker to manipulate file upload parameters to enable path traversal. Under some circumstances this may allow the attacker to upload a malicious file that can be used to perform remote code execution.

No additional details are available at this time.

The vulnerability affects Apache Struts versions 2.0.0 through 2.5.32 and 6.0.0 through 6.3.0.1, and has been fixed in Apache Struts versions 2.5.33 and 6.3.0.2.

“All developers are strongly advised to perform this upgrade,” the Apache Struts project urges. “This is a drop-in replacement and upgrade should be straightforward.”

The sentiment was echoed by security researcher and prolific bug hunter Steven Seeley of Source Incite, who reported the flaw to the project maintainers.

Vulns in Apache Struts 2 are often leveraged by attackers

Apache Struts 2 is a modern open-source Java framework for building enterprise-ready web applications. (Its predecessor, Apache Struts 1, is no longer actively developed or maintained.)

The 2017 compromise of Equifax’s US website and the subsequent massive data breach was the result of an Apache Struts 2 flaw (and lax patching practicesoften exploited by attackers.

UPDATE (December 12, 2023, 06:50 a.m. ET):

An analysis of the bug is available here.

UPDATE: December 14, 05:25 am ET

Attackers have started using public PoC exploit code for CVE-2023-50164.