Lucene search

Muly LevyIMPERVABLOG:9B055D72F2592C6A01ADFD3841037710

HistoryDec 19, 2023 - 12:34 p.m.

CVE-2023-50164: A Critical Vulnerability in Apache Struts

2023-12-1912:34:31

Muly Levy

www.imperva.com

apache struts

vulnerability

remote code execution

threat actors

exploitation attempts

security patches

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

8.4 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

JSON

On December 7, 2023, Apache released a security advisory regarding CVE-2023-50164, a critical vulnerability in Apache Struts with CVSS score 9.8. Versions from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0 were affected.

Apache Struts is a popular, free, open-source framework that is used in the creation of modern Java web applications for numerous commercial and open-source projects. Vulnerabilities in Struts have been popular targets for threat actors, such as the Equifax breach in 2017. Given its widespread distribution, any vulnerability in Apache Struts can become a matter of significant concern across various sectors.

By exploiting this vulnerability, attackers can manipulate file upload parameters, allowing for path traversal. Consequently, a malicious file can be uploaded, opening the door to a remote code execution (RCE).

Several proofs of concepts (POCs) were published on December 11, 2023. The Imperva Threat Research team created additional dedicated mitigations for this vulnerability, in addition to the existing rules and signatures, which are effective.

Over the past few days, we observed thousands of exploitation attempts, all of which were successfully thwarted by Imperva Cloud WAF, Imperva RASP, and Imperva WAF Gateway (customer-managed WAF). Most of the attempts originate from IP addresses in the United States and France.

Most exploitation attempts were carried out by automated hacking tools written in the Go programming language. Web applications targeted in the exploitation were sourced from the United States, Australia, the Netherlands, and New Zealand.

During an exploitation attempt, an attacker will craft a special request to upload malicious web shells, commonly in the formats of.JSP or .WAR files, to locations unintended for user-uploaded content, and not originally accessible, using path traversal techniques.

Despite having protection measures, we strongly advise customers to stay vigilant and ensure their systems are promptly updated with the latest security patches. As always, Imperva Threat Research is monitoring the situation and will provide updates as new information emerges.

The post CVE-2023-50164: A Critical Vulnerability in Apache Struts appeared first on Blog.