On December 13, 2023, threat actors began exploitation attempts against CVE-2023-50164, a critical-severity remote code execution (RCE) vulnerability impacting Apache Struts, an open-source framework used to create Java Web applications. Based on current intelligence, the threat actors are leveraging a publicly published proof of concept (PoC) exploit. CVE-2023-50164 is rated at a CVSS score of 9.8, as the vulnerability allows a remote threat actor to modify file upload parameters to enable path traversal, which could then allow a threat actor to upload a malicious file to perform RCE. Apache fixed this vulnerability in the latest Struts versions released on December 7th.
Apache Struts is a framework that is often included in other enterprise software and the vulnerability must be addressed by each individual vendor. In response to the threat, Cisco is currently investigating the potential impact of CVE-2023-50164 across a variety of their products and will update their advisory as their investigation continues. We expect additional vendors to publish advisories surrounding this vulnerability in their products.
Apache Struts has been an attractive target for threat actors, as indicated by the fact that several RCE vulnerabilities affecting Apache Struts are listed in CISA’s Known Exploited Vulnerabilities Catalog. We assess there will likely be a surge in threat actors targeting this vulnerability in the near term due to the publicly accessible PoC exploit and ease of exploitation.
Recommendation for CVE-2023-50164
Recommendation #1: Upgrade Apache Struts to Fixed Version
Where feasible, Arctic Wolf strongly recommends upgrading Apache Struts to the latest version.
Product | Affected Version | Fixed Version |
Apache Struts | Struts 2.0.0 – Struts 2.3.37 (EOL) | Struts 2.5.33 or greater |
Apache Struts | Struts 2.5.0 – Struts 2.5.32 | Struts 2.5.33 or greater |
Apache Struts | Struts 6.0.0 – Struts 6.3.0 | 6.3.0.2 or greater |
Please follow your organizations patching and testing guidelines to avoid operational impact.
Recommendation #2: Closely Monitor Software Vendor Patch Advisories Related to CVE-2023-50164
Apache has released patches for CVE-2023-50164 in Apache Struts; however, the security patch is not automatically applied to software products that use the framework. The best method for remediating CVE-2023-50164 in third-party software products is to apply the official security updates from the vendor of each affected software product.
We strongly recommend monitoring software vendor advisories for security updates that remediate CVE-2023-50164 in your environment and applying available security update promptly.