\u00a0Introduction<\/p>\n

On December 7, the Apache Software Foundation released Apache Struts versions 6.3.0.2 and 2.5.33 to address a critical vulnerability currently identified as CVE-2023-50164, which is a path traversal flaw allowing a malicious file to be uploaded and potentially lead to Remote Code Execution (RCE) on affected versions of Apache Struts.
\nRecommendations<\/p>\n

Zscaler ThreatLabz recommends users on Apache Struts software upgrade to versions Struts 2.5.33, Struts 6.3.0.2, or higher to avoid this vulnerability.
\nAffected Versions<\/p>\n

The following versions of Apache Struts are affected by the vulnerability and should update immediately: <\/p>\n

\tStruts 2.0.0 – Struts 2.3.37 (EOL)
\n\tStruts 2.5.0 – Struts 2.5.32
\n\tStruts 6.0.0 – Struts 6.3.0<\/p>\n

Background<\/p>\n

CVE-2023-50164 is a path traversal flaw that allows a remote attacker to upload malicious files to vulnerable servers. After successful exploitation, an attacker can achieve Remote Code Execution (RCE) on the target server. An attacker exploiting such a vulnerability can access, upload, or modify important files, steal sensitive information, disrupt critical services, or move laterally on the breached network.<\/p>\n

CISA released an alert to upgrade to the latest version of Apache Struts for protection from this vulnerability.<\/p>\n

According to the Shadowserver scanning platform, some threat actors may have started exploiting publicly exposed vulnerable Apache Struts servers. In addition, a post by Akamai indicates that attackers may be adding new arguments and modifying a publicly available Proof-of-Concept (PoC) to further exploit CVE-2023-50164.
\nHow It Works<\/p>\n

The attacker accesses a vulnerable version of Apache Struts to send an HTTP POST request to upload a malicious file. <\/p>\n

In the POST request, the attacker uploads a file with malicious content using the ‘Upload’ parameter name (instead of ‘upload’). Within the same request, the attacker adds another parameter named ‘uploadFileName’ (instead of ‘UploadFileName’). <\/p>\n

Figure 1 is a condensed example of a request.<\/p>\n

Figure 1: Part of the HTTP POST request<\/p>\n

The ‘uploadFileName’ parameter contains path traversal characters (..\/), which manipulate the filename present in the \u2018Upload\u2019 parameter, allowing an attacker to bypass the built-in check \u2013 effectively evading the getCanonicalName method (a method used to truncate ‘\/’ & ” characters in the filename) \u2014 and leave the path traversal payload in the final filename. From here, the file (with the malicious payload) is uploaded to the attacker\u2019s chosen directory.<\/p>\n

If the file contains WebShell code, the attacker can escalate access to the vulnerable server, leading to RCE and ultimately gaining access to the target server.<\/p>\n

Figure 2: Attack chain depicting an attacker exploiting CVE-2023-50164
\nZscaler Best Practices<\/p>\n

\tSafeguard crown jewel applications by limiting lateral movement using Zscaler Private Access\u2122 with application security modules turned on.
\n\tRoute all server traffic through Zscaler Private Access\u2122 with additional application security module enabled and Zscaler Internet Access\u2122, which provides visibility to identify and stop malicious activity from compromised systems\/servers.
\n\tTurn on Zscaler Advanced Threat Protection\u2122 to block all known command-and-control domains \u2014 thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware.
\n\tExtend command-and-control (C2) protection to all ports and protocols with the Zscaler Cloud Firewall\u2122 (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware.
\n\tUse Zscaler Cloud Sandbox\u2122 to prevent unknown malware from being delivered as part of a second-stage payload.
\n\tInspect all TLS\/SSL traffic and restrict traffic to the critical infrastructure from the allowed list of known-good destinations.<\/p>\n

Conclusion<\/p>\n

Addressing CVE-2023-50164 is crucial for protecting the digital security of Apache Struts systems and users. By manipulating file upload parameters, uploading malicious files, and achieving RCE on the target server, an attacker can take control \u2014 stealing sensitive information, leading to severe disruptions for impacted systems and users. To mitigate this risk, upgrade vulnerable Apache Struts software systems to Struts 2.5.33, Struts 6.3.0.2, or higher.
\nZscaler Coverage<\/p>\n

The Zscaler ThreatLabz team has deployed protection for the CVE.<\/p>\n

Zscaler Advanced Threat Protection<\/p>\n

\tHTML.EXPLOIT.CVE-2023-50164<\/p>\n

Zscaler Private Access AppProtection<\/p>\n

\tLocal File Inclusion: 930100 – Path Traversal Attack (\/..\/) – Encoded Payload
\n\tLocal File Inclusion: 930110 – Path Traversal Attack (\/..\/) – Decoded Payload<\/p>\n

Details related to these signatures can be found in the Zscaler Threat Library.
\nReferences<\/p>\n

\thttps:\/\/lists.apache.org\/thread\/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
\n\thttps:\/\/www.cisa.gov\/news-events\/alerts\/2023\/12\/12\/apache-software-foundation-updates-struts-2
\n\thttps:\/\/trganda.github.io\/notes\/security\/vulnerabilities\/apache-struts\/Apache-Struts-Remote-Code-Execution-Vulnerability-%28-S2-066-CVE-2023-50164%29
\n\thttps:\/\/thehackernews.com\/2023\/12\/new-critical-rce-vulnerability.html\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Introduction On December 7, the Apache Software Foundation released Apache […]<\/p>\n","protected":false},"author":0,"featured_media":2020,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2025","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n