Other official information and services: www.belgium.be

Warning: Patch available for critical RCE vulnerability In Apache Struts

Reference:

Advisory #2023-148

Version:

1.1

Affected software:

Struts 2.0.0

Struts 2.3.37 (end of life)

Struts 2.5.0

Struts 2.5.32

Struts 6.0.0

Struts 6.3.0

Type:

Remote Code Execution (RCE)

CVE/CVSS:

CVE-2023-50164

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Datum:

11/12/2023

Sources

https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj

Risks

CVE-2023-34051 is a critical vulnerability, with a CVSS score of 9.8, that is affecting Apache Struts 2 open-source development framework.

The exploitation of the vulnerability could lead to remote code execution and have severe consequences, with high impact to confidentiality, integrity and availability of the targeted systems. Attackers have been observed attempting to leverage this vulnerability in attacks that are using a publicly available proof-of-concept exploit code.

Description

CVE-2023-50164 vulnerability may allow an attacker to manipulate file upload parameters to enable path traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

The vulnerability is affecting Apache Struts 2.0.0 through 2.5.32 and Apache Struts 6.0.0 through 6.3.0.1.

Recommended Actions

To address this vulnerability, Apache recommends users to urgently upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater.
Version Notes to find more details about performed bug fixes and improvements are available at:

https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.33

https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.3.0.2

References

https://nvd.nist.gov/vuln/detail/CVE-2023-50164

https://cwiki.apache.org/confluence/display/WW/S2-066

https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.3.0.

https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.33

https://www.tenable.com/cve/CVE-2023-50164

https://www.securityweek.com/apache-patches-critical-rce-vulnerability-i...

https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/