Home Blogs 위협 인텔 업데이트: CVE-2023-50164 – Apache Struts2
Applications

위협 인텔 업데이트: CVE-2023-50164 – Apache Struts2

About The Author

Outline

CVE-2023-50164 is a critical vulnerability discovered in Apache Struts2, an extensively used open-source Model-View-Controller (MVC) framework for Java web applications​.

Here’s a detailed breakdown based on the latest information.

Vulnerability Details

CVE-2023-50164 allows an attacker to manipulate file upload parameters, enabling path traversal. Under certain conditions, this can lead to the uploading of a malicious file, which can be leveraged to perform Remote Code Execution (RCE)​​.

Impact: This vulnerability poses a serious threat as it could potentially enable remote attackers to execute arbitrary code on affected servers​.

Technical Specifications

  • Flawed Component: The vulnerability stems from a defective file upload logic in Apache Struts 2​​.
  • Severity Rating: It has a CVSS 3.x base score of 9.8, categorized as CRITICAL. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability is both highly damaging and easy to exploit​.

Affected Versions

Apache Struts versions from 2.0.0 up to 2.5.32 and versions from 6.0.0 up to 6.3.0.1 are affected by this vulnerability​.

Mitigation and Updates

Apache Struts2 security updates were released to address this critical file upload vulnerability, mitigating the potential for remote code execution​​​.

**Edgio’s platform is not impacted by this vulnerability.
We recommend you take the following actions to protect your application.**

Recommended Action: Users are advised to upgrade to Struts 2.5.33 or Struts 6.3.0.2 or later versions to rectify this issue. If you are unable to immediately upgrade to these versions, Edgio can help you deploy custom security rules to mitigate this threat by blocking any file upload using HTTP Forms or multipart content types. It’s crucial to promptly address this vulnerability due to its critical nature and potential for exploitation, so reach out to Edgio’s 24×7 SOC at tickets@edg.io to get help implementing customized virtual patches.

Additional Resources:

https://www.cve.org/CVERecord?id=CVE-2023-50164
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
https://struts.apache.org/announce-2023#a20231207-2

Tags

Just For You