Threat actors have started probing internet-accessible Apache Struts 2 instances affected by a recently disclosed remote code execution (RCE) flaw.
The critical-severity bug, tracked as CVE-2023-50164 (CVSS score of 9.8), was disclosed a week ago, when the Apache Software Foundation announced patches for it, urging customers to apply them immediately.
In its advisory, the non-profit organization explained that the issue resides in Struts’ file upload logic and that it could enable path traversal. Under certain circumstances, it allows an attacker to upload a malicious file and achieve RCE.
The security defect exists in the /upload.action endpoint, allowing an attacker to manipulate file upload parameters, cybersecurity firm Trend Micro says. Parameters are treated differently based on case sensitivity, but recent changes made by Apache led to case-insensitive HTTP parameters.
“The vulnerability in Apache Struts arises from parameter pollution. In this scenario, an attacker can manipulate the request by modifying the initial parameter and subsequently introducing an additional parameter in lowercase. This lowercased parameter can then override an internal file name variable, leading to the exploitation of the system,” Trend Micro explains.
Upon file upload, Struts creates a temporary file that is deleted after the file is written to the assigned path value. However, if the cached file exceeds a certain value, it is not deleted.
It was discovered that, if the attacker can control the filename value of the temporary file, they can exploit CVE-2023-50164 to upload a malicious payload.
When the arguments from the HTTP request are processed, if the manipulated filename value has path traversal characters, the bug leads to check bypass, allowing the payload to persist.
Trend Micro notes that it has seen broad exploitation of the vulnerability, with multiple threat actors targeting it in malicious attacks.
However, the cybersecurity firm also notes that “exploiting this vulnerability at scale becomes significantly challenging for attackers, as it lacks the same straightforward scanning and exploitation capabilities observed in CVE-2017-5638”, an unauthenticated OS command execution bug in Struts 2 that was exploited to hack Equifax in 2017.
Along with Trend Micro, Akamai, Malwarebytes, and the Shadowserver Foundation too have seen exploitation attempts targeting CVE-2023-50164, but it is unclear if the attackers were able to breach the targeted environments. Some of these attempts rely on recently released proof-of-concept (PoC) exploit code, while others are deviations from the PoC.
CVE-2023-50164 impacts Struts versions 2.0.0 to 2.3.37 (which reached end of life), 2.5.0 to 2.5.32, and 6.0.0 to 6.3.0. Apache addressed the bug in Struts versions 2.5.33 and 184.108.40.206. All Struts users are advised to upgrade to a patched version as soon as possible.