Four in five Apache Struts 2 downloads are for versions featuring critical flaw

Security vendor Sonatype believes developers are failing to address the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, based on recent downloads of the code.

The vulnerability, tracked as CVE-2023-50164, is rated 9.8 out of 10 in terms of CVSS severity. It is a logic bug in the framework's file upload feature: if an application uses Struts 2 to allow users to upload files to a server, those folks can abuse the vulnerability to save documents where they shouldn't be allowed to on that remote machine. Thus someone could, for instance, use the flaw to upload a webshell script to a web server, and access it to take control of or get a foothold on that system.

The consequences of successful exploitation could be hugely damaging: think data theft, malware infections, network intrusion, and that sort of thing.

The fix is simple: use versions of Struts that have been fixed.

Yet researchers at Sonatype, which operates the Maven Central repository of open source software, has found that between the December 7 disclosure of the flaw and December 18, around 80 percent of Struts downloads from that code silo were for versions that remain vulnerable to CVE-2023-50164.

That figure, the supplier asserts, is much worse than the adoption of the fixed version of Log4j in 2021 over a comparable timeframe.

The low download rate for safe cuts of Struts comes despite the release of proof of concept (PoC) exploit code that prompted government cyber-advisory services to call for rapid patching of the vulnerability.

Various sources confirmed the vulnerability was under active exploitation as of December 13, although many attempts weren't valid since they weren't targeting endpoints with file upload functionality.

Regardless, many industry experts were quick to reaffirm the recommended guidance – which was to upgrade to the latest version of Struts 2 as soon as possible – but noted there was a list of preconditions that had to be met in order for an attack to be successful.

• SSH shaken, not stirred by Terrapin vulnerability
• Before you go away for Xmas: You've patched that critical Perforce Server hole, right?
• NKabuse backdoor harnesses blockchain brawn to hit several architectures
• Two years on, 1 in 4 apps still vulnerable to Log4Shell

"We believe that in most scenarios … most instances of exploitation of CVE-2023-50164 will be more one-off custom attacks against impacted applications meeting the required preconditions versus indiscriminate mass-exploitation attempts," noted Praetorian's researchers, whose write-up nicely explains the constraints on real-world exploitation.

"However, while the risk of exploitation is much lower than prior vulnerabilities in Apache Struts, we still recommend that application developers running the impacted version of Apache Struts promptly upload to the latest version even in scenarios where the necessary preconditions for exploitability are unmet."

The researchers went on to point out that another factor hampering successful exploitation is the difficulty involved with scanning for vulnerable endpoints – again owing to the number of preconditions and the requirement for file upload functionality.

Despite the low likelihood of exploitation, Ilkka Turunen, field CTO at Sonatype, argued there are factors at play that make the vulnerability's potential exploitation worth serious consideration.

If an attacker were to find an exploitable endpoint, or a collection of them, the attack is easily automatable. There is also no shortage of potential targets on the web if an attacker is reliably able to scan for vulnerable targets – given the wide use of Struts 2, and lower staffing levels at organizations often delay security upgrades and attack detection.

"As we navigate the holiday season, the urgency to address the Struts 2 vulnerability should be a high priority," he blogged. "The potential for remote code execution, reminiscent of the compromise that affected Equifax, underscores the need for swift action.

"While not as severe as some high-profile cases like log4j two years ago, these incidents serve as a reminder that open source, like any technology, requires vigilant maintenance. So, catalog your software and know your components. Additionally, create software bills of materials and scan for struts2-core." ®