December 17, 2023 3m read

Apache Struts 2 Remote Code Execution (CVE-2023-50164) – Cato’s Analysis and Mitigation

Dolev Moshe Attiya
Vadim Freger
Dolev Moshe Attiya , Vadim Freger
apache mitigation

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

By Vadim Freger, Dolev Moshe Attiya

On December 7th, 2023, the Apache Struts project disclosed a critical vulnerability (CVSS score 9.8) in its Struts 2 open-source web framework. The vulnerability resides in the flawed file upload logic and allows attackers to manipulate upload parameters, resulting in arbitrary file upload and code execution under certain conditions.

There is no known workaround, and the only solution is to upgrade to the latest versions, the affected versions being:

  • Struts 2.0.0 – Struts 2.3.37 (EOL)
  • Struts 2.5.0 – Struts 2.5.32
  • Struts 6.0.0 – Struts 6.3.0

The Struts framework, an open-source Java EE web application development framework, is somewhat infamous for its history of critical vulnerabilities. Those include, but are not limited to, CVE-2017-5638 which was the vector of the very public Equifax data breach in 2017 resulting in the theft of 145 million consumer records, which was made possible due to an unpatched Struts 2 server.

At the time of disclosure, there were no known attempts to exploit, but several days later on December 12th, a Proof-of-Concept (POC) was made publicly available. Immediately, we saw increased scanning and exploitation activity across Cato’s global network. Within one day, Cato had protected against the attack.

Rapid CVE Mitigation by Cato Security Research

Details of the vulnerability

The vulnerability is made possible by combining two flaws in Struts 2, allowing attackers to manipulate file upload parameters to upload and then execute a file.

This vulnerability stems from the manipulation of file upload parameters. The first flaw involves simulating the file upload, where directory traversal becomes possible along with a malicious file. This file upload request generates a temporary file corresponding to a parameter in the request. Under regular circumstances, the temporary file should be deleted after the request ends, but in this case, the temporary file is not deleted, enabling attackers to upload their file to the host.
The second flaw is the case-sensitive nature of HTTP parameters. Sending a capitalized parameter and later using a lowercase parameter with the same name in a request makes it possible to modify a field without undergoing the usual checks and validations.

Apache Struts 2 Remote Code Execution (CVE-2023-50164) – Cato’s Analysis and Mitigation

Figure 1 – Example of the sequence of HTTP requests to simulate the exploit

This creates an ideal scenario for employing directory traversal to manipulate the upload path, potentially directing the malicious file to an execution folder. From there, an attacker can execute the malicious file, for instance, a web shell to gain access to the server.

Cato’s analysis and response to the CVE

From our data and analysis at Cato’s Research Labs we have seen multiple exploitation attempts of the CVE across Cato customer networks immediately following the POC availability.
Attempts observed range from naive scanning attempts to real exploitation attempts looking for vulnerable targets.

Cato deployed IPS signatures to block any attempts to exploit the RCE in just 24 hours from the date of the POC publication, protecting all Cato-connected edges – sites, remote users, and cloud resources — worldwide from December 13th, 2023.

Nonetheless, Cato recommends upgrading all vulnerable webservers to the latest versions released by the project maintainers.

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Dolev Moshe Attiya

Dolev Moshe Attiya

Dolev Moshe Attiya is a seasoned Staff Cyber Security Engineer at Cato Networks. Member of Cato Ctrl. Specializing in threat analysis, research, and developing advanced countermeasures. With over five years of experience, Dolev plays a key role in fortifying Cato's security against emerging threats and CVEs, showcasing his commitment to excellence in the dynamic field of cybersecurity.

Read More
Vadim Freger

Vadim Freger

Vadim Freger, Director of Service Evangelism, Strategist, Cato Networks. Member of Cato Ctrl. Vadim serves as Cato's Director of Service Evangelism, where he is dedicated to advocating Cato's reputation as a leading SASE and cyber security company. With over seven years of experience at Cato, Vadim previously held the role of Director of DevOps and SRE, playing a pivotal role in shaping and advancing Cato's expansive global cloud services and operations. Before joining Cato, Vadim held various management positions at Imperva, having over 15 years of combined experience in the fields of networking and cyber security.

Read More