Four Out of Five Downloads of Apache Struts 2 Are for Versions Containing a Critical Vulnerability

Four Out of Five Downloads of Apache Struts 2 Are for Versions Containing a Critical Vulnerability

Developers Neglecting Critical RCE Vulnerability in Apache Struts

Security vendor Sonatype has raised concerns that developers are overlooking a critical remote code execution (RCE) vulnerability within the Apache Struts 2 framework. Despite the availability of a fixed version, recent download data suggests a persistent neglect of necessary updates.

Details and Severity of the Apache Struts 2 Vulnerability

The vulnerability in question is identified as CVE-2023-50164 and carries a severe 9.8 out of 10 CVSS rating. This flaw stems from a logic issue in the framework’s file upload mechanism, where maliciously crafted file uploads can lead to unauthorized document storage, possibly enabling attackers to gain control over affected systems.

Potential Impact of the Vulnerability

If exploited, the vulnerability can have devastating effects, such as data theft, malware spread, and extensive network breaches, thereby posing significant risks to affected organizations and their data security.

Availability of Fixes for Apache Struts

Addressing the issue is straightforward: developers should implement the patched versions of the Apache Struts framework that have rectified this security flaw.

Lack of Adoption for Secure Struts Versions

Despite the clear solution, Sonatype’s findings indicate that the majority of downloads from the Maven Central repository—approximately 80 percent—continue to be of vulnerable Struts versions. This trend is alarmingly worse compared to the update response for the Log4j fix from 2021.

Continued Vulnerability Despite Proof of Concept Release

The situation remains dire even after the release of proof of concept (PoC) exploit code, which prompted government cyber-advisory services to issue urgent calls for patching. Moreover, despite reports of active exploitation attempts, the rate at which secure Struts versions are being adopted remains disappointingly low.

Industry Advice and Preconditions for Attack Success

Security professionals stress the urgency of upgrading to the latest version of Apache Struts 2. However, they note that a successful attack requires several preconditions to be met, possibly explaining the lower risk perception among some organizations.

Challenges in Exploiting the Vulnerability

The successful exploitation of CVE-2023-50164 is made more difficult due to the challenges in scanning for vulnerable endpoints, further complicated by the specific preconditions necessary for the exploit.

Considerations for the Seriousness of the Vulnerability’s Potential Exploitation

Despite the obstacles to exploitation, the vulnerability’s potential for damage, if successfully leveraged, warrants serious attention—especially given that the attack could be automated and targeting a widely-used framework like Struts 2.

Call for Proactive Measures During the Holiday Season

As the holiday season approaches, experts like Sonatype’s field CTO Ilkka Turunen emphasize the imperative need to address this vulnerability promptly, referencing previous significant breaches as cautionary examples. Open-source software, while beneficial, requires the same vigilant maintenance as any other technology. Organizations should keep a detailed inventory of their software and regularly scan for components like struts2-core
Read More