On December 14, 2023, a security researcher published a proof of concept (POC) for the recent vulnerability on Github.
Context
Throughout the second half of December 2023, details have publicly emerged surrounding CVE-2023-50164, a vulnerability in Apache Struts with a 9.8 severity rating. According to the disclosure:
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.”
Technical Details
According to the POC:
“A simple dummy app is developed for demonstration purposes (see struts-app folder). You can deploy it to Tomcat or any other servlet, or run it by mvn jetty:run. In this latter case you can reach the app on port 9999. The exploit script works only in cases when the app is deployed to Tomcat since the exploitation path is to upload a WAR webshell. However, many other exploitation path can work in case of the same vulnerability based on the used technologies and other circumstances.”
Mitigation Recommendations
Any organization leveraging Apache Struts is encouraged to upgrade to patched versions as soon as possible:
Historical Perspective
The disclosure of CVE-2023-50164 and the associated exploit POC recall the disclosure and fallout of previous Apache vulnerabilities:
CVE-2017-5638 is a level 10 severity vulnerability found in Struts in 2017.
“The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.”
CVE-2021-40438 is a level 9 severity found in the Apache HTTP Server in 2021.
“A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.”
CVE-2022-25762 is a level 8.6 severity found in the Apache Tomcat in 2022.
“If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.”
Given the prevalence of Apache tools, organizations in the retail, hospitality, and travel community are encouraged to remain vigilant regarding security issues affecting any Apache tools leveraged in operations and to implement mitigations as soon as they become available