Another Critical Vulnerability in Apache Struts: CVE-2023-50164

ggenard · ‎04-19-2024

Another Critical Vulnerability in Apache Struts: CVE-2023-50164

Vulnerability Overview

Another one? Apache Struts seems to be experiencing quite a series of vulnerabilities. Apache Struts has been a target for malicious actors due to its widespread adoption and the potential impact of vulnerabilities within applications built on the framework. One of the most notable instances was the Equifax data breach in 2017, where attackers exploited a vulnerability in Apache Struts to gain unauthorized access to sensitive data.

The Equifax breach was a wake-up call for many organizations regarding keeping frameworks and libraries up-to-date and implementing robust security measures in their web applications. Since then, there has been increased awareness and emphasis on regularly patching and securing Apache Struts applications to mitigate the risk of exploitation by cybercriminals.

Fortinet Product Security Incident Response Team (PSIRT) continuously works to identify and address vulnerabilities, releasing updates and patches to enhance the framework's security posture. However, organizations must stay vigilant, stay informed about security advisories, and promptly apply patches to ensure the security of their applications. Additionally, implementing security best practices such as input validation, output encoding, and proper authentication and authorization mechanisms can further bolster the security of Apache Struts-based applications.

Why Apache Struts?

Apache Struts helps developers to create flexible, maintainable, and secure web applications in Java. Apache Struts is still widely used in today’s software deployment, either actively deployed or still being maintained. Struts is a top-rated open-source platform for developing applications and websites.

Apache STRUTS vulnerabilities are listed below but not as critical as the CVE-2023-50164. Other vulnerabilities in Apache Struts are CVE-2023-41835, CVE-2023-34396, CVE-2023-34149.

Security Advisory: CVE-2023-50164

On December 7, 2023, Apache issued a security advisory concerning CVE-2023-50164, a critical vulnerability discovered in Apache Struts, scoring 9.8 on the CVSS scale. This vulnerability impacted versions ranging from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0.

Apache Struts, a widely utilized, freely available open-source framework, is a cornerstone in developing modern Java web applications for commercial and open-source endeavors. Notably, vulnerabilities within Struts have consistently attracted attention from threat actors, evidenced by incidents like the Equifax breach in 2017. Due to its extensive adoption, any security flaw discovered in Apache Struts can quickly escalate into a matter of substantial concern across diverse industries.

This vulnerability enables attackers to exploit file upload parameters, potentially leading to path traversal. As a result, malicious files can be uploaded, creating a pathway for remote code execution (RCE).

On December 8, we recommended that customers activate temporary signatures to block this vulnerability.

Vulnerability indicates an attack attempt to exploit a Paths Traversal vulnerability in Apache Struts.
The vulnerability is caused by an error handling issue when the application handles a malicious HTTP multipart request. A remote attacker may exploit this to execute arbitrary code within the application context via a crafted HTTP request.

Fortinet Protection Assurance

Following the publication of several proofs of concepts (POCs) on December 11, 2023, the FortiWeb Threat Research team developed additional dedicated mitigations explicitly designed for this vulnerability. These new measures complement the already robust set of rules and signatures.

Subsequently, on December 29, 2023, FortiWeb introduced an official signature to enhance protection against this vulnerability further.

Despite the existing protective measures, we strongly recommend that customers remain vigilant and promptly update their systems with the latest security patches. As always, FortiWeb Threat Research is actively monitoring the situation and will continue to provide updates as new information arises. FortiWeb protects any customer from this vulnerability and other Fortinet components, which are listed at the link below.

https://www.fortiguard.com/search?q=CVE-2023-50164&engine=3

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-50164

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164

https://fortiguard.fortinet.com/encyclopedia/ips/54499

https://www.cvedetails.com/cve/CVE-2023-41835/

https://www.cvedetails.com/cve/CVE-2023-34396/

https://www.cvedetails.com/cve/CVE-2023-34149/

Another Critical Vulnerability in Apache Struts: CVE-2023-50164

FortiCloud 3.1.2 Release - Great update for MSP services

Announcing FortiOS 5.4: The World’s Most Advanced Cybersecurity Operating System

FortiSIEM 6.3.0 Released