A new vulnerability known as CVE-2023-50164 is being used by attackers to exploit the file upload functionality in Apache Struts2, an open-source framework for developing Java web applications. Barracuda MSP advises users to review this Cybersecurity Threat Advisory and upgrade Apache Struts to the latest fixed version offered by the manufacturers of their devices.
What is the threat?
This vulnerability allows attackers to tweak file upload parameters to upload unwanted files resulting in remote code execution. The vulnerable end-point is “/upload.action” as per the current scenario. What’s occurring is a distinction in the treatment of parameters based on case sensitivity. Since HTTP parameters are case-sensitive, the vulnerability identifies parameter2=”value2″ and parameter2=”Value2″ as distinct. When the Apache team’s most recent modifications were examined, it was discovered that they had changed the HTTP parameters to be case-insensitive. The Apache Struts vulnerability is caused by parameter pollution. In this example, an attacker can alter the request by changing the initial parameter and then adding a lowercase parameter. This lowercased parameter can then override an internal file name variable, allowing the system to be exploited.
The following versions are vulnerable:
- Apache Struts 2.0.0 – 2.3.37
- Apache Struts 2.5.0 – 2.5.32
- Apache Struts 6.0.0 – 6.3.0
The vulnerability has been addressed with versions 2.5.33, 220.127.116.11, and above.
Why is it noteworthy?
Threat actors began attempting to attack CVE-2023-50164 on December 13, 2023. CVE-2023-50164 has a CVSS score of 9.8 because it allows a remote threat actor to change file upload parameters to enable path traversal, allowing the threat actor to upload a malicious file to perform RCE. Apache fixed this vulnerability in the latest Struts versions released on December 7th.
Noteworthy aspects of this threat include the potential for exploitation, the impact it may have on systems using the affected software, and the importance of promptly applying security patches to mitigate the risk of unauthorized access, data breaches, or other malicious activities.
What is the exposure or risk?
As observed, the CVE-2023-50164 vulnerability remains one of the most widely exploited by various types of threat actors who use this flaw to conduct their nefarious activities. Overall, such behavior makes it a major security risk for organizations across the globe.
The risk associated with CVE-2023-50164 lies in the vulnerability it poses to systems using Apache Struts2. This specific exploit could potentially allow attackers to gain unauthorized access, execute arbitrary code, or perform other malicious activities on affected systems. The risk is particularly high for systems that do not promptly apply the necessary security patches, as attackers may exploit the vulnerability to compromise the integrity and security of the software, leading to potential data breaches, system disruptions, or unauthorized control over the affected systems.
Individuals and organizations using Apache Struts2, especially those handling sensitive data or using for business purposes, are at elevated risk of damage. Exploitation of this vulnerability could result in data breaches, financial losses, and reputational damage.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of Apache Struts file upload exploit:
- Apply security patches: Immediately apply the latest security patches provided by Apache Struts to address the identified vulnerability. Regularly check for and install updates to keep software secure.
- System monitoring: Implement continuous monitoring of systems to detect any suspicious activities or unauthorized access promptly. Employ intrusion detection systems and regularly review logs for unusual behavior.
- Protection with WAF: Take advantage of your WAF to avoid being exploited.
- Incident response plan: Have a well-defined incident response plan in place. This ensures a swift and effective response in the event of a security incident, minimizing potential damage.
It’s crucial to tailor these recommendations to the specific context of the affected systems and follow any additional guidance provided by security experts or the software vendor.
For more in-depth information on the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.