Detect and Manage the Risk of Apache Struts (CVE-2023-50164) Comprehensively

Introduction

In the vast landscape of cybersecurity, staying vigilant against potential threats is crucial. A critical vulnerability that surfaced recently is CVE-2023-50164, affecting Apache Struts 2, a widely used open-source framework for Java development. This path traversal vulnerability, stemming from flaws in file upload logic, can have severe implications if left unaddressed.

Understanding CVE-2023-50164

CVE-2023-50164 was officially recognized on December 7, 2023, as a call to action for organizations to be aware of its existence. Unfortunately, threat actors wasted no time, with exploitation attempts commencing on December 13, 2023. This highlights the urgency for organizations to take immediate steps in securing their Apache Struts architecture.

Take Action With the Enterprise TruRisk Platform

Qualys offers a suite of tools and services designed to identify, prevent, and mitigate vulnerabilities like CVE-2023-50164.****

Potential Impact of the Vulnerability

Successful exploitation of this vulnerability allows an unauthenticated attacker to perform remote code execution (RCE), allowing attackers to manipulate file uploads. To effectively address CVE-2023-50164, organizations need to understand the scope of the vulnerability within their systems. Below are the impacted versions:

• Apache Struts 2.0.0 – 2.3.37 (EOL)
• Apache Struts 2.5.0 – 2.5.32
• Apache Struts 6.0.0 – 6.3.0

The vulnerability has been addressed with versions 2.5.33, 6.3.0.2, and above.

Qualys analyzed anonymized data from its worldwide customer base, revealing valuable insights into the distribution of various Struts versions. The findings indicate that 1.3.8 is the most prevalent version, adopted by 21.20%, followed by version 1.1 at 10.7%, version 1.3.10 at 9.2%, and version 2.5.16 at 8.02%. This data underscores the diverse usage of Struts versions across the organizations surveyed.

Challenges of Discovering Open-Source Packages

In the ever-evolving landscape of cybersecurity, the identification and mitigation of software vulnerabilities play a crucial role in maintaining a secure digital environment. Similar to log4j, struts are open-source deep-embedded packages and not present in default location, thus, traditional vulnerability scanners have limitations in detecting the struts and vulnerabilities. Let's explore the shortcomings of conventional approaches.

The Challenges of Traditional Methods:

• Directory Dependency: Traditional vulnerability scanners often rely on standard directories to locate software vulnerabilities. This approach proves inadequate when software is installed in non-standard directories, as these tools may overlook potential vulnerabilities residing outside their predefined search paths.
• Process-Driven Techniques: Implementing more sophisticated techniques, such as examining running processes using commands like 'ps,' introduces its own set of limitations. If a vulnerable process is not active during the scanning period, the vulnerability remains undetected, leading to a false sense of security.
• File System Search Constraints: Searching the file system using commands like 'find' is another common method, but it comes with limitations. The scan is often bound by timeout constraints and maximum file depth, which hinders the detection of vulnerabilities deeply embedded in the file system. Consequently, packages residing in intricate directory structures may escape the scrutiny of traditional scanners.
• Lack of Understanding of Risk: Customers are looking to know the risk of this vulnerability and not just report on hundreds of thousands of detections of Struts2 so that they can prioritize the ones present on critical assets, mapped to their critical applications.
• The Upgrade Is Not Easy for the Business and Lacks Mitigation Guidance: While the concept of mitigating risk by upgrading the application version seems straightforward theoretically, the practicalities are more complex, especially if the application is integral to critical functions. It's only sometimes feasible to upgrade the version promptly. Therefore, customers require effective interim risk mitigation strategies until they can safely update Struts.

Manage the TruRisk of Apache Struts Using the Qualys Platform

Qualys provides extensive solutions to detect vulnerabilities and measure TruRisk. While some alternatives focus solely on open-source discovery without supporting assessment in the production or runtime environment, others support agent or scanner mechanisms but lack high visibility into detections, especially for deep-embedded vulnerabilities like Struts 2. In such cases, an approach involving an Open-Source file sweep becomes crucial.

Qualys QID Coverage

Various Qualys IDs (QIDs) are associated with this vulnerability, providing valuable insights into its potential impact:

QID	Title	Sensor Type	Application	Assessment Visibility
QID 379106	Apache Struts2 Remote Code Execution (S2-066)	Agent + Scanner + Container Security	VMDR, TotalCloud Container Security	Medium
QID 996137	Java (Maven) Security Update for org.apache.struts:struts2-core (GHSA-2j39-qcjm-428w)	Agent with SwCA + Container Security	CAR, TotalCloud Container Security	High
QID 379107	Apache Struts2 Remote Code Execution (S2-066) (Tomcat Server Authentication Record)	Scanner with Tomcat Authentication	VMDR	Medium
QID 731026	Apache Struts2 Remote Code Execution (RCE) Vulnerability (S2-066) (Intrusive Check)	Scanner	VMDR	Low – unauthenticated check
QID 317403	Cisco Identity Services Engine (ISE) Remote Code Execution (RCE) Vulnerability (cisco-sa-struts-C2kCMkmT)	Scanner	VMDR	High
QID 150774	Apache Struts2 Remote Code Execution (RCE) Vulnerability (CVE-2023-50164) (Intrusive Check)	Web Application	WAS	Medium
QID 996167	Java (Maven) Security Update for org.apache.struts:struts2-core (GHSA-729q-fcgp-r5xh)	Container Security	TotalCloud Container Security	High

Discover Vulnerable Apache Struts Using Qualys VMDR

The initial and crucial step in managing this critical vulnerability and mitigating associated risks involves pinpointing all assets susceptible to this specific issue. Qualys VMDR facilitates the easy identification of these potentially affected assets.

In Example 1, we aim to identify all assets running the specific open-source operating system in question.

Query: operatingSystem.category1:Linux

The following query instructs current Qualys customers on how to detect Apache Struts 2 in their environment.

vulnerabilities.vulnerability.cveIds:CVE-2023-50164

Prioritize and Track in Real Time With TruRisk

With VMDR Unified Dashboard, you can track this vulnerability, impacted hosts, status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerability trends in your environment using the “Apache Struts 2” Dashboard.

As mentioned above, traditional methods of assessing software vulnerabilities often miss hidden or unconventional risks because they follow predictable paths and check standard locations. In contrast, Qualys Software Composition Analysis (SwCA) extensively scans the entire file system. This approach ensures that vulnerabilities are identified in any part of the system, not just in the well-known areas, leading to more thorough and accurate detection.

Software Composition Analysis

Detect the Deep-embedded Open-source Software (OSS) Struts Packages, Integrated with VMDR

Deploying the Qualys Cloud Agent provides organizations with a more sophisticated and in-depth detection process: With the software composition analysis (SwCA) feature, Qualys Cloud Agent discovers and reports software components and vulnerabilities associated with third-party or open-source dependent software used by various applications.

Windows Detection of Deeply Embedded Struts Packages Linux Detection of Deeply Embedded Struts Packages

• You can schedule a SwCA scan or launch the scan on demand on agent assets to bring software component data to the Qualys platform. The SwCA capability involves crawling the entire file system without limitations to short timeouts and max file depth.
• This comprehensive approach ensures a thorough examination of software components, allowing for the identification of vulnerabilities that may be concealed within the system.

Qualys CAR customers can leverage out-of-box QID 996137 specifically built on the SwCA capability to identify the vulnerability (CVE-2023-50164), affecting Apache Struts 2.

By adopting SwCA, organizations gain a holistic view of their software landscape, enabling them to address not only CVE-2023-50164 but also other potential vulnerabilities effectively.

An Analogy to Google's Street View

Imagine the digital landscape as a vast and intricate city filled with countless software structures and packages. Navigating through this complex terrain requires a detection method that mirrors the meticulous coverage provided by Google's Street View cars.

In the realm of vulnerability detection, traditional methods are akin to navigating through the city using predefined routes. These routes may cover the main streets and well-known areas but fall short when it comes to exploring every nook and cranny of the city. Likewise, traditional detections rely on standard directories and active processes, following predetermined paths that may overlook vulnerabilities hidden in unconventional locations.

Enter Qualys Software Composition Analysis (SwCA), which revolutionizes the vulnerability detection process by adopting a file system crawling technique. This method is analogous to Google's Street View cars meticulously driving through every street, capturing a detailed view of the entire cityscape.

Source

Just as Street View cars provide a comprehensive visual representation of a city, Qualys SwCA systematically crawls through the file system, leaving no part unexplored. This exhaustive approach ensures that vulnerabilities are discovered regardless of their location in the digital city. Much like Street View captures every corner and alley, Qualys SwCA identifies vulnerabilities deeply embedded in intricate directory structures, providing a panoramic view of the software landscape.

The analogy extends to the idea of completeness and accuracy. Just as Street View aims to capture a true reflection of the real world, Qualys SwCA aims to provide a genuine and comprehensive representation of the software environment. The all-encompassing nature of both approaches ensures that nothing escapes scrutiny, offering a level of thoroughness that traditional methods struggle to achieve.

Using Scanner and Software Composition Analysis With Cloud Agent Together

Leveraging both Scanner and Software Composition Analysis with the Cloud Agent in tandem can provide a synergistic approach to vulnerability detection. While the traditional detection methods of the Scanner offer a quick and efficient overview of potential vulnerabilities, the Software Composition Analysis with the Cloud Agent ensures a more thorough examination without limitations to timeouts and file depth. By combining these approaches, organizations can benefit from the strengths of each method, enhancing their ability to discover and remediate vulnerabilities effectively. This collaborative strategy maximizes the efficiency and accuracy of the vulnerability management process, ultimately fortifying the security posture of the organization.

Detecting the Vulnerability With Qualys WAS

Qualys has released QID 150774: Apache Struts2 Remote Code Execution Vulnerability to detect vulnerable applications.

The new detection released to production is intrusive. As part of the security testing of the application, when the Qualys WAS scan is launched, an attempt is made to upload a couple of non-malicious files – 'Qualyswas.txt' and 'Qualyswas.jsp'. Vulnerable applications will successfully upload the file(s). When the QID is reported in your scan against your Struts application, the vulnerable server should be reviewed. Please search the server directory for the presence of uploaded files and remove the file(s).

For more comprehensive WAS detection, please see Yet Another Apache Struts 2 Vulnerability – CVE-2023-50164

Detecting the Vulnerability With Qualys TotalCloud Container Security

Qualys has released QID 996167 and QID 996137 related to Apache Struts2 to detect vulnerable container images. Using Container Security sensors, you can detect these QIDs in container images, preventing the vulnerable images from potentially being deployed in the production Kubernetes environments.

Qualys provides this QID: 379106: Apache Struts2 Remote Code Execution (S2-066) to detect running containers with vulnerable Apache Strut2 components. For more information, you can see Apache Struts2 Remote Code Execution Vulnerability (CVE-2023-50164)

Mitigate the Risk

Qualys research team is providing a custom script to mitigate the risk without upgrading. This will be a part of Qualys CAR and available soon.

Conclusion

The identification and remediation of CVE-2023-50164, a critical vulnerability affecting Apache Struts 2, demands immediate attention in the cybersecurity landscape. Traditional vulnerability detection methods face challenges in navigating the evolving digital terrain, necessitating innovative approaches. In addition to detecting the vulnerable packages using traditional scanning and agent-based mechanisms through Qualys VMDR and Web Application Scanning (WAS), Qualys Software Composition Analysis (SwCA), enabled with Qualys agent, helps customers automatically detect the deep-embedded Struts packages, integrated with TruRisk, akin to Google's Street View cars meticulously covering every part of a city.

This exhaustive approach ensures the discovery of vulnerabilities, offering a level of thoroughness that traditional methods struggle to achieve. Leveraging both Scanner and Software Composition Analysis with the Cloud Agent in tandem provides a synergistic approach, maximizing efficiency and accuracy in the vulnerability management process. This allows organizations to gain a holistic view of their software landscape, addressing not only CVE-2023-50164 but also other potential vulnerabilities effectively. The collaboration of these methods fortifies the security posture of organizations, enhancing their ability to discover and remediate vulnerabilities systematically.

Act Now** **

1. Understand where Apache Struts resides by using Qualys' comprehensive detections
2. Prioritize the findings important for your business
3. Upgrade or migrate discovered vulnerabilities

Enable the Custom Assessment & Remediation (CAR) capability to automatically detect deep-embedded Apache Struts and other open-source vulnerable packages such as log4j and openSSL.