Table of Contents
Critical RCE Flaw in Apache Struts 2
Exploitation attempts observed after PoC code publication
Security researchers have recently noted a significant uptick in exploitation attempts targeting a critical remote code execution (RCE) flaw in Apache Struts 2 shortly after proof-of-concept (PoC) code became publicly available. This code provided potential attackers with a blueprint for how to exploit the vulnerability, effectively lowering the bar for conducting successful attacks against unpatched systems. The increased activity underscores the urgent need for administrators to apply patches to their Struts 2 installations to prevent system compromises.
Bug tracked as CVE-2023-50164 with a CVSS score of 9.8
The vulnerability in question has been assigned the identifier CVE-2023-50164 and has been given a critical severity rating, with a CVSS (Common Vulnerability Scoring System) score of 9.8 out of 10. This high score reflects the ease with which the vulnerability can be exploited, the potential for it to be exploited remotely without requiring user interaction, and the ability of an attacker to gain full control over the affected system.
Vulnerability located in the file upload logic
The critical flaw exists within the file upload logic of Apache Struts 2. This component is widely used to handle multipart data sent to web applications, such as when users upload files. Due to improper input validation, malicious actors have the ability to craft special HTTP requests that can mislead the file upload mechanism, leading to the execution of arbitrary code on the server hosting the vulnerable application.
Apache Software Foundation’s advisory and call for patching
The Apache Software Foundation, the organization responsible for the maintenance of Apache Struts, has issued an official advisory concerning the RCE vulnerability. In their advisory, they detail the nature of the flaw and strongly urge all users of Apache Struts 2 to apply the latest patches immediately. Failing to patch could leave systems open to severe security breaches, including data theft, website defacement, and complete server takeovers.
Trend Micro’s explanation of parameter pollution leading to RCE
Security experts at Trend Micro have shed light on the technical mechanisms behind the RCE vulnerability, explaining that it stems from an issue known as parameter pollution. An attacker can manipulate parameters that are processed by the Struts 2 framework, combining them in a way that alters the expected data flow through the application. This manipulation can ultimately lead to the execution of malicious commands, thereby achieving remote code execution. Trend Micro's insights provide a deeper understanding of the vulnerability's inner workings and underscore the sophistication of the potential attacks. As such, it is paramount for organizations to promptly address this security flaw to protect their digital infrastructure.
Attack Landscape and Challenges
Broad exploitation observed by cybersecurity entities
Cybersecurity professionals have noticed a broad pattern of exploitation attempts targeting the critical remote code execution (RCE) vulnerability in Apache Struts 2, identified as CVE-2023-50164. Various firms within the cybersecurity community have reported that threat actors are actively scouting for and attempting to exploit vulnerable systems that are accessible via the internet. This observation suggests that the release of a publicly available PoC has heightened the risk associated with this flaw, as more would-be attackers obtain the necessary information to carry out attacks.
Comparison with CVE-2017-5638 and associated challenges
The recent vulnerability in Apache Struts 2, while serious, presents different challenges for attackers when compared to the notorious CVE-2017-5638, which was infamously exploited in the Equifax breach in 2017. Exploiting the current vulnerability at scale is considered more complex due to its intricate mechanism, which involves manipulating HTTP request parameters. While CVE-2017-5638 was relatively easier to exploit, the attacks targeting CVE-2023-50164 require more precision and understanding of the target environment, thus acting as a slight deterrent to widespread exploitation. Despite these challenges, organizations must remain vigilant due to the demonstrated interest of attackers in this vulnerability.
Various exploitation attempts, some using PoC code
Since the emergence of PoC code for the CVE-2023-50164 vulnerability, there has been a surge in reported exploitation attempts. Threat actors ranging from individual opportunists to more sophisticated adversaries are leveraging the PoC code to attack vulnerable instances of Apache Struts 2. These attempts vary in their level of sophistication and success. While it remains unclear if these attempts have resulted in actual breaches, the fact that such activities are being observed indicates a clear and present danger to unpatched systems. The diverse nature of the exploitation attempts highlights the need for widespread awareness and swift remediation efforts by affected parties.
Vulnerability Details and Patch Information
Description of the /upload.action endpoint issue
The RCE vulnerability within Apache Struts 2 stems from the way in which the framework handles file uploads, specifically through the /upload.action endpoint. Attackers exploit the endpoint by crafting a malicious request that takes advantage of the parameter pollution issue. This flaw allows for a special construction of HTTP requests that misrepresent multipart data, resulting in an improper execution of file upload logic leading to remote code execution.
Apache’s changes causing case-insensitive HTTP parameter handling
Apache introduced changes in some versions of the Struts framework that inadvertently made the HTTP parameter handling case-insensitive. This pertains especially to how the framework processes file extensions within file upload requests. By introducing an additional HTTP parameter in a case that is not expected by the server, attackers are able to override internal variables related to file names. This case-insensitive handling is at the heart of the exploitation technique used in CVE-2023-50164.
Struts’ file upload handling and deletion process
Normally, Apache Struts efficiently manages file uploads by allocating temporary files for multipart requests. Once a file is uploaded and processed, it is intended to be safely deleted. However, the vulnerability in question allows an attacker to manipulate this process, creating the potential for arbitrary code execution instead of the file's safe deletion. The manipulation takes advantage of specific points within the file upload and deletion process that are exposed due to the flaw.
Struts versions affected and patched
Apache Struts versions impacted by CVE-2023-50164 cover a wide range of releases. The affected versions are from Struts 2.0.0 to 2.3.37, 2.5.0 to 2.5.32, as well as 6.0.0 to 6.3.0. The Apache Software Foundation has addressed this serious vulnerability by releasing patches for the affected versions, which are available for download. Users running vulnerable versions of Struts are strongly encouraged to update to the patched versions as soon as possible to mitigate the risks associated with this RCE flaw.
Industry Response and Recommendations
Trend Micro, Akamai, Malwarebytes, and Shadowserver Foundation observations
Prominent cybersecurity organizations such as Trend Micro, Akamai, Malwarebytes, and the Shadowserver Foundation have taken note of the surge in exploitation attempts associated with CVE-2023-50164. These entities have been closely tracking the threat landscape, sharing observations of attack patterns and techniques leveraged against vulnerable Apache Struts 2 instances. They serve as valuable sources of threat intelligence and provide near-real-time updates on how the vulnerability is being exploited in the wild. Their insightful analysis helps in understanding the sophistication of the attacks and emphasizes the widespread nature of the potential threat.
Urgent advice for Struts users to upgrade to a patched version
In light of the active exploitation and critical nature of CVE-2023-50164, the industry consensus clearly advises all Struts users to promptly upgrade to the latest patched version provided by the Apache Software Foundation. Given the high severity of the vulnerability, delaying this process can leave systems open to remote code execution attacks, which can have devastating effects on the confidentiality, integrity, and availability of systems and the data they hold. The advice from industry experts is unanimous in urging system administrators to prioritize this update to mitigate the risk of being compromised.
Reference to other security news and events
Keeping abreast of the current cybersecurity landscape goes beyond monitoring and responding to individual vulnerabilities. It requires awareness of the broader context of security news and events. In addition to tracking CVE-2023-50164, the security community must stay informed about related cybersecurity developments. This includes trends in phishing campaigns, the evolution of malware, and other RCE vulnerabilities being discovered. Such awareness can facilitate a more robust defense posture and promote proactive security practices that can prevent breaches before they occur. The industry's efforts to share knowledge and collaborate on threat intelligence play a vital role in strengthening the overall cybersecurity of organizations worldwide.
