A critical vulnerability, identified as CVE-2023-50164 with a severity rating of 9.8 according to CVSS 3, was recently discovered in Apache Struts 2. A patch advisory has been released to address the issue. This vulnerability allows attackers to use Remote Code Execution (RCE) and manipulate the file upload parameter. With manipulated parameters, the attacker can remotely upload executable malicious code to an arbitrary file path for malicious purposes.
This article will analyze the file upload and remote code execution in Apache Struts 2. We will also explore how to check servers exposed to the internet.
What is Apache Struts 2?
Apache Struts 2 is an open-source development framework designed to build JAVA enterprise-grade web applications. The disclosed CVE-2023-50164 vulnerability allows attackers to manipulate the file upload parameters to enable path traversal. Therefore, attackers can upload malicious files and initiate remote code execution. This security flaw could lead to unauthorized access to the web server, potentially resulting in sensitive data manipulation and theft, service interruptions, and exploitation of the damaged system. The target domain endpoint /upload.action is indicated to be causing this exploitable vulnerability.
Vulnerability Attack Payload That Allows Remote Code Execution
An attacker can upload a web shell to an Apache Struts 2 server by manipulating parameters during file upload and using path traversal techniques like ‘../../’.
Apache Struts 2 Web Applications Detected by Threat Intelligence Search Engine
You can use the search filters and keywords below on Criminal IP Search Asset to find websites using Apache Struts 2 web applications. We tried searching for the web applications provided by Apache Struts 2, Showcase.
Search Query: title: “Showcase”
Search Query: title: “Struts2 Showcase”
Search Query: “/struts/utils.js”
Search Query: title: “Struts2 jQuery Plugin Showcase”
Statistics on Countries with Apache Struts 2 Web Applications Exposed Online
With the Element Analysis feature of Criminal IP, you can use the query “title: Struts2 Showcase” to access the related statistics data. These statistics provide information on the countries using Showcase, the web applications from Apache Struts 2, exposed on the internet. In total, 18 countries have been identified using the exposed Apache Struts2 plugin. Among these countries, the United States appeared the most with 486 devices, followed by Japan with 220 devices, and China with 204 devices.
Apache Struts 2 Framework Mapped with the .Action Extension Structure
Websites developed using the Apache Struts 2 framework are primarily structured and executed using the *.action extension. As mentioned above, the endpoint for this CVE-2023-50164 vulnerability is /upload.action.
The Affected Versions and Security Patch Recommendations
As reported by the reputable security media Bleeping Computer, Apache Struts versions 2.0.0 to 2.5.32 and versions 6.0.0 to 6.3.0.1 are affected by this vulnerability.
- Struts 2.0.0 – Struts 2.3.37 (EOL)
- Struts 2.5.0 – Struts 2.5.32
- Struts 6.0.0 – Struts 6.3.0
Cyber attackers have been exploiting the CVE-2023-50164 vulnerability extensively since its discovery, presenting a substantial security threat to organizations and users worldwide. Using the threat intelligence search engine Criminal IP, Apache Struts 2 users can detect web applications vulnerable to remote code execution risks and promptly apply security patches.
Related to this topic, you can refer to the article on Over 100,000 Juniper Firewalls Exposed: Beware of the RCE Vulnerability Bug Chain.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Article(s):