Protection for Remote Code Execution in Apache Struts2 CVE-2023-50164
Wallarm has added rules for detecting exploitation of a Remote Code Execution vulnerability in Apache Struts2 (CVE-2023-50164). Wallarm clients are now able to observe any detected exploitation attempts by searching for CVE-2023-50164 in the Events/Attacks section.
About the vulnerability
This vulnerability exists in the framework’s handling of file upload parameters which can be abused to upload a malicious file, such as a web shell. Successful exploitation provides the ability to execute arbitrary code on the server. The vulnerability has a 9.8 CVSS Score (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by unauthenticated, remote attackers and doesn’t require advanced technical knowledge. Public exploits for the vulnerability have been published on GitHub (exploit#1 and exploit#2).
Due to the prevalence of the Apache Struts2 framework across enterprise infrastructure and its public exposure on Internet-facing web servers, the vulnerability is being actively exploited and has received significant attention in the cybersecurity community. Just days after publishing, it became clear that this vulnerability would be one of the most popular and noticeable vulnerabilities of the year.
It is highly recommended that organizations update the Apache Struts2 framework as soon as possible (vulnerable versions range from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0).