CVE-2023-50164: Apache Struts Unauthenticated File Upload Remote Code Execution

On December 7, Apache released a patch for their open-source Model-View-Controller (MVC) framework, Apache Struts.

This patch is to address a new critical unauthenticated file upload vulnerability that can lead to remote code execution (RCE), assigned to CVE-2023-50164.

Proof of exploit code is publicly available and evidence of active exploitation was observed on December 13.

Affected Versions

• Apache Struts 2.0.0 through 2.5.32
• Apache Struts 6.0.0 through 6.3.0.1

Many 3rd party vendors leverage the Apache Struts framework in their products.  Cisco released an advisory detailing which of their products are affected by the vulnerability, which can be found here.

Mitigations

Update vulnerable versions to the fixed version:

• Apache Struts 2.5.33
• Apache Struts 6.3.0.2

Recommended Actions

If you have any web-facing sites or applications, please check with your vendor if they leverage Apache Struts, and apply the appropriate patch.  All vulnerable Apache Struts instances should be patched immediately.

Additional Resources

• https://www.labs.greynoise.io/grimoire/2023-12-12-apache-struts-cve-2023-50164/
  
• https://nvd.nist.gov/vuln/detail/CVE-2023-50164
  
• https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.