Apache Struts Strikes Again! From Path Traversal to Remote Code Execution

Apache Struts, the well-adopted MVC framework is back in the spotlight again after the disclosure of CVE-2023-50164 on December 7, 2023. It is the first time a critical CVE affecting Apache Struts has made waves since 2017, when CVE-2017-5638 was exploited in the wild and led to the infamous Equifax breach impacting sensitive data for over 140 million US consumers. 

Boasting a severity rating of 9.8, this vulnerability affects a range of Apache Struts versions, from 2.0.0 to 2.3.37, 2.5.0 to 2.5.32, to 6.0.0 to 6.3.0.

Unpacking the Vulnerability

At the core of this critical vulnerability within Apache Struts lies the manipulation of file upload parameters, with a specific focus on the /upload.action endpoint. Exploiting a subtle yet significant distinction in parameter treatment due to case sensitivity enables malicious actors to introduce a malicious file, creating avenues for remote code execution (RCE) and potential system compromise. Here’s a sample payload (Thanks to github user jakabakos for providing the POC)

Case Sensitivity and Parameter Pollution

A nuanced aspect of this vulnerability lies in the case-sensitive nature of HTTP parameters within Apache Struts. For instance, parameters such as name=”upload” and Name=”Upload” are treated differently due to case sensitivity. Recognizing this vulnerability, recent commits from the Apache team have transitioned to case-insensitive HTTP parameter handling, fortifying the framework’s security posture and reducing susceptibility to parameter manipulation tactics.

Path Traversal and Parameter Manipulation

CVE-2023-50164 is a vulnerability arising from parameter pollution. Exploiting this flaw empowers attackers to manipulate the initial parameter by introducing an additional parameter in lowercase. This manipulation has the potential to override an internal file name variable, thereby facilitating path traversal and exposing the system to potential exploitation. Consequently, a path traversal payload can endure in the final filename, bypassing critical security mechanisms within Apache Struts.

Temporary File Handling and Security Measures

Another critical aspect of this vulnerability pertains to handling temporary files within Apache Struts. In previous implementations, temporary files were created in specific directories, posing a security risk if these files were not promptly deleted. However, recent commits by the Apache team have addressed this issue by implementing measures to “Always delete uploaded files,” thereby mitigating the risk of persistence in affected systems. In addition to that, the Apache team added exception-handling mechanisms for managing files that exceed size limits. When exceptions such as “struts.messages.upload.error.parameter.too.long” are triggered, specific methods are invoked to facilitate file cleanup, thereby maintaining the integrity of the system.

Remediation and Mitigation

As for any CVE, if you are currently using one of the affected versions, you should update Apache Struts to 6.3.0.2 or 2.5.33 as soon as possible. You can temporarily mitigate this vulnerability by ensuring the application only allows the necessary MIME-types and the uploaded files are regularly deleted. Read-only file system with carefully managed exceptions is always a good security hygiene.

At Traceable, we are continuously monitoring for new CVEs and ensure that our customers are protected against those vulnerabilities. CVE-2023-50164 is no different; as of December 28th 2023 22:02:2 all Traceable customers are protected against this vulnerability. We continue to look for blocked exploitation attempts using Traceable’s data lake and will continue to reach out to our customers, in case they were targeted. Interested in trying out Traceable’s leading API security platform for yourself? You can see Traceable in action or schedule a demo today.