Apache has warned customers of a critical remote code execution vulnerability in its popular Struts 2 framework.
Apache Struts 2 is an open-source web application framework for developing Java EE web applications.
The new vulnerability, CVE-2023-50164, has been given a maximum severity rating and affects Struts 2.0.0-2.3.37, Struts 2.5.0-2.5.32, and Struts 6.0.0-6.3.0.
Struts 2 developers and users are urged to immediately upgrade to version 2.5.33, or Struts 6.3.0.2 or greater.
He added that if customers can't patch immediately, they should ensure that applications are configured to only accept authorized file types and to limit the size of uploaded files.
Users would be advised to follow Apache's guidance on patching, given a major Struts 2 vulnerability that Equifax failed to patch ultimately led to a hugely damaging breach at the credit agency back in 2017.
Although an update was issued to fix CVE-2017-5638 on March 7 2017, the bug went unpatched and internal scanning processes at the firm didn't work as intended.
That allowed threat actors to exploit the CVE and access the network on March 10 2017 via a consumer complaint web portal, taking advantage of poor segmentation and passwords and usernames stored in plain text to move laterally.
Threat researchers later warned that tens of thousands of applications running Struts 2 could have been targeted by malicious actors in the same way unless patched.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 12 Dec 2023 09:30:19 +0000