What You Need to Know About Apache Struts and CVE-2023-50164
Discover the critical details of CVE-2023-50164, a severe vulnerability in Apache Struts reported on Dec 7, 2023. Learn how this flaw in HTTP parameter handling during file uploads leads to path traversal and potential remote code execution and explore proof-of-concept exploits, observed attack scenarios, and the urgent need for Apache Struts users to update their applications.
Discover the critical details of CVE-2023-50164, a severe vulnerability in Apache Struts reported on Dec 7, 2023. Learn how this flaw in HTTP parameter handling during file uploads leads to path traversal and potential remote code execution and explore proof-of-concept exploits, observed attack scenarios, and the urgent need for Apache Struts users to update their applications.
Discover the critical details of CVE-2023-50164, a severe vulnerability in Apache Struts reported on Dec 7, 2023. Learn how this flaw in HTTP parameter handling during file uploads leads to path traversal and potential remote code execution and explore proof-of-concept exploits, observed attack scenarios, and the urgent need for Apache Struts users to update their applications.
Discover the critical details of CVE-2023-50164, a severe vulnerability in Apache Struts reported on Dec 7, 2023. Learn how this flaw in HTTP parameter handling during file uploads leads to path traversal and potential remote code execution and explore proof-of-concept exploits, observed attack scenarios, and the urgent need for Apache Struts users to update their applications.
Discover the critical details of CVE-2023-50164, a severe vulnerability in Apache Struts reported on Dec 7, 2023. Learn how this flaw in HTTP parameter handling during file uploads leads to path traversal and potential remote code execution and explore proof-of-concept exploits, observed attack scenarios, and the urgent need for Apache Struts users to update their applications.
Edit (Dec 18, 21h36 CET): Our pull request got merged, both the GitHub Advisory Database and OSV show versions >= 2.0 as affected
CVE-2023-50164 is the newest vulnerability for the popular Web application framework Apache Struts, reported on Dec 7, 2023. The vulnerability can lead to path traversals and, in some scenarios, to remote code execution.
Numerous GitHub repositories contain proof-of-concept exploits, and exploitation attempts have been observed starting Dec 12.
All of that makes CVE-2023-50164 a severe vulnerability, which requires immediate attention by consumers of Apache Struts.
What’s the vulnerability about?
The vulnerability is rooted in the flawed handling of HTTP parameters during file uploads. This logic has a path traversal vulnerability, which could allow attackers to upload arbitrary files to file system directories outside of intended upload directories.
A common attack scenario exploiting this vulnerability includes uploading single Java Server Pages (JSP) files or entire Web applications into directories of the Servlet container running the vulnerable Struts2 application. Those JSPs or Web applications can then be executed and accessed simply through the browser. This scenario can be considered as an alternative deployment function and effectively allows executing arbitrary code on the Web server.
The following screenshot exemplifies an HTTP request exploiting the vulnerability. The upper section contains the header of an HTTP POST request with “Content-Type: multipart/form-data”. The lower section shows the body of the HTTP request, which comprises two parts:
- The first part could come from a legitimate Web application and contains some metadata as well as the actual file content. The metadata is used by Apache Struts to populate parameters that are passed to custom handler methods implemented by the Struts application.
The form field “Upload”, for example, results in the construction of a parameter “UploadFileName” (note the capitalization). Its value comes from the field “filename” and is sanitized by method “JakartaMultiPartRequest.getCanonicalName(String filename)”. This parameter is passed to a custom setter method “setUploadFileName(String uploadFileName)” in the Struts2 application.
- The second part of the multipart request is crafted by the attacker to exploit the vulnerability. It only contains one form field with name “uploadFileName” (without capitalization) and a relative path.
This part results in another parameter with name “uploadFileName” and value “../src/main/webapp/foo.jsp”. It bypasses sanitization and, due to the case-insensitive identification of handler methods in the action class, overrides the target path of the uploaded file.
In this example, this results in the deployment of a new JSP into the directory of the Web application rooted at “webapp”, and which can be called by the attacker using his browser.
Which versions are affected?
Regular readers of our blog may remember a recent post on the problems of mapping vulnerabilities to components and applications. One of those reasons was the handling of unmaintained project releases: End-of-life components may or may not be investigated by the project maintainers. And vulnerability databases may or may not mention all affected releases.
In the case of CVE-2023-50164, the official advisory explicitly states that the EOL releases “Struts 2.0.0 - Struts 2.3.37” are affected (which is correctly reflected by the CPEs of the CVE). The GitHub Advisory Database however, only mentions the releases 2.5-BETA1 - 2.5.32 and 6.0.0 - 6.3.0.1 (as of Dec 18, 16h45 CET) which could confuse and mislead users. This data is also replicated to the Open Source Vulnerability (OSV) database.
To clarify this ambiguity, we set up a sample Struts2 application with version 2.3.1, which has been released as early as 2011: The result is that this version is indeed vulnerable to the above-presented attack example (as correctly indicated by the project maintainers). Accordingly, we created a pull request to fix the GitHub Security Advisory.
Conclusion
Users of Apache Struts should give highest priority to identifying and updating all applications. As demonstrated by the Equifax data breach in 2017, caused by the Struts vulnerability CVE-2017-5638, lacking to identify a single application can have devastating consequences.
Maintainers of public and private vulnerability databases must ensure to mention all 2.x versions of Apache Struts as affected by the vulnerability.