On Dec 7th, open-source web server software provider Apache disclosed a new vulnerability with a CVSS score of 9.8, which is currently being tracked as CVE-2023-50164. This is a remote code execution (RCE) flaw in Apache struts, which can allow attackers to manipulate file upload parameters to enable path traversal. Under some circumstances, this may allow an attacker to upload a malicious file that can be exploited for remote code execution.
The vulnerability affects Apache Struts versions 2.0.0 – 2.3.37, 2.5.0 – 2.5.32 and 6.0.0 – 18.104.22.168 and lies within the Struts ActionSupport class. The ActionSupport class contains a bug in the filename parameter filtering in the file upload implementation. According to Shadowserver, there are currently a few IP addresses trying to exploit the code for this PoC.
It also seems that Cisco may have been affected, as on December 12th, they sent an advisory to their customers alerting them of potential impact to some of their products, including Customer Collaboration Platform, Identity Services Engine (ISE), Nexus Dashboard Fabric Controller (NDFC), Unified Communication.
This vulnerability is completely unrelated to the recent Apache Active MQ vulnerability that has a CVSS score of 10 and was tracked as CVE-2023-46604.
What Should You Do?
- Identify all machines running Apache Struts.
- Verify if it’s running with a vulnerable version. This can be done by verifying the struts2-core package.
- Verify that the Java process is reachable from other machines within the environment. Machines that are not reachable are at lower risk (it can’t be exploited in your environment, remotely).
- Patch the relevant machines.
Identifying CVE-2023-50164 with XM Cyber
The XM Cyber Research team is in the process of adding CVE-2023-50164 to the platform to identify this vulnerability in the XM Cyber Exposure Management module and Vulnerability Management module. We will update this post as soon as it’s available.
Similar to other vulnerabilities, organizations lack context and visibility of which machines are at risk and which users could be exploited, which makes it very hard to know what to tackle first and how. With XM Cyber, you can understand the exploitability of CVE-2023-50164 in your organization in a prioritized manner.