Concerns are high over a critical, recently disclosed remote code execution vulnerability in Apache Struts 2 that attackers have been actively exploiting over the past few days.
Apache Struts is a widely used open source framework for building Java applications.
The Apache Software Foundation disclosed the bug on Dec. 7 and gave it a near maximum severity rating of 9.8 out of 10 on the CVSS scale.
The vulnerability, tracked as CVE-2023-50164 has to do with how Struts handles parameters in file uploads and gives attackers a way to gain complete control of affected systems.
A Widely Prevalent Security Issue Affecting Java Apps The flaw has evoked considerable concern because of its prevalence, the fact that it is remotely executable, and because proof-of-concept exploit code is publicly available for it.
Since the disclosure of the flaw last week, multiple vendors - and entities such as ShadowServer - have reported seeing signs of exploit activity targeting the flaw.
Security experts estimate there are thousands of applications worldwide - including those in use at many Fortune 500 companies and organizations in government and critical infrastructure sectors - that are based on Apache Struts.
Many vendor technologies incorporate Apache Struts 2 as well.
The vulnerability affects Struts versions 2.5.0 to 2.5.32 and Struts versions 6.0.0 to 6.3.0.
The bug is also present in Struts versions 2.0.0 to Struts 2.3.37, which are now end-of-life.
The ASF, security vendors and entities such as the US Cybersecurity and Information Security Agency have recommended that organizations using the software immediately update to Struts version 2.5.33 or Struts 6.3.0.2 or greater.
No mitigations are available for the vulnerability, according to the ASF. In recent years, researchers have unearthed numerous flaws in Struts.
That bug is actually still floating around - campaigns using the just-discovered NKAbuse blockchain malware are exploiting it for initial access.
A Dangerous Apache Struts 2 Bug, but Hard to Exploit Researchers at Trend Micro who analyzed the new Apache Struts vulnerability this week described it as a dangerous but considerably harder to exploit at scale than the 2017 bug, which was little more than a scan and exploit issue.
To exploit the flaw, an attacker would first need to scan for and identify websites or Web applications using a vulnerable Apache Struts version, Akamai said in a report summarizing its analysis of the threat this week.
The request would contain hidden commands that would cause the vulnerable system to place the file in a location or directory from where the attack could access it and trigger the execution of malicious code on the affected system.
The requirements for an attacker to successfully exploit the vulnerability can vary significantly by implementation, Tinklenberg adds.
If a vulnerable app does not allow unauthorized user uploads, the attacker would need to gain authentication and authorization via other means.
The attacker would also need to identify the endpoint using the vulnerable file upload function, he says.
While this vulnerability in Apache Struts might not be as readily exploitable on a large scale compared with previous flaws, its presence in such a widely adopted framework certainly raises significant security concerns, says Saeed Abbasi, manager of vulnerability and threat research at Qualys.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 15 Dec 2023 21:15:17 +0000