GigaOM Radar Edge Platform Leader & Outperformer 2024 | Read the Report >

Home Blogs Threat Intel Update: CVE-2023-50164 – Apache Struts2
Download
Applications
Media
Expert Service

Threat Intel Update: CVE-2023-50164 – Apache Struts2

Download
Share

About The Author

Picture of Tom Gorup
Tom Gorup
As the Vice President of Security Services at Edgio, Tom Gorup leads a team of security professionals who deliver world-class security solutions to customers across various industries. He is responsible for overseeing the company's global security operations, ensuring the highest standards of quality, efficiency, and customer satisfaction. Tom has over 15 years of experience in managing security operations, from co-founding and running a successful MDR startup to directing a large-scale SOC at a leading cloud security provider. He has a proven track record of building and growing security teams, developing innovative technologies and processes, and securing organizations from emerging threats. He is also a recognized thought leader and speaker in the security industry, as well as a decorated veteran who served in the U.S. Army. Tom is passionate about advancing the field of cybersecurity and empowering his team to deliver the best security outcomes for their customers.

Outline

Download
Share
CVE-2023-50164 is a critical vulnerability discovered in Apache Struts2, an extensively used open-source Model-View-Controller (MVC) framework for Java web applications​. Here’s a detailed breakdown based on the latest information.

Vulnerability Details

CVE-2023-50164 allows an attacker to manipulate file upload parameters, enabling path traversal. Under certain conditions, this can lead to the uploading of a malicious file, which can be leveraged to perform Remote Code Execution (RCE)​​. Impact: This vulnerability poses a serious threat as it could potentially enable remote attackers to execute arbitrary code on affected servers​.

Technical Specifications

  • Flawed Component: The vulnerability stems from a defective file upload logic in Apache Struts 2​​.
  • Severity Rating: It has a CVSS 3.x base score of 9.8, categorized as CRITICAL. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability is both highly damaging and easy to exploit​.

Affected Versions

Apache Struts versions from 2.0.0 up to 2.5.32 and versions from 6.0.0 up to 6.3.0.1 are affected by this vulnerability​.

Mitigation and Updates

Apache Struts2 security updates were released to address this critical file upload vulnerability, mitigating the potential for remote code execution​​​. **Edgio’s platform is not impacted by this vulnerability. We recommend you take the following actions to protect your application.** Recommended Action: Users are advised to upgrade to Struts 2.5.33 or Struts 6.3.0.2 or later versions to rectify this issue. If you are unable to immediately upgrade to these versions, Edgio can help you deploy custom security rules to mitigate this threat by blocking any file upload using HTTP Forms or multipart content types. It’s crucial to promptly address this vulnerability due to its critical nature and potential for exploitation, so reach out to Edgio’s 24×7 SOC at tickets@edg.io to get help implementing customized virtual patches.

Additional Resources:

https://www.cve.org/CVERecord?id=CVE-2023-50164 https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj https://struts.apache.org/announce-2023#a20231207-2

Tags

Just For You