A critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, tracked as CVE-2023-50164, is reportedly being ignored by developers, leaving approximately 80% of recent Struts downloads exposed to the flaw. The severity of the vulnerability, rated 9.8 out of 10 in CVSS, arises from a logic bug in the file upload feature. When exploited, attackers can save unauthorized documents on a remote server, potentially leading to data theft, malware infections, or network intrusion.
Despite a simple fix available through updated versions of Struts, the majority of downloads between December 7 and December 18 were still for vulnerable versions. The slow adoption of secure releases contrasts with the faster response to the Log4j flaw in 2021. Security researchers have attributed this lag to developers failing to address the critical vulnerability promptly.
While experts believe the risk of exploitation is lower compared to previous Struts vulnerabilities, they emphasize the importance of upgrading to the latest version to mitigate potential threats. Researchers note that successful exploitation often requires specific preconditions, making widespread attacks less likely. However, the ease of automating attacks on vulnerable endpoints and the challenges in scanning for these endpoints heighten the importance of swift action in addressing the Struts 2 vulnerability. The situation underscores the need for vigilant maintenance of open-source software and emphasizes the importance of software bills of materials and regular scans for vulnerabilities like struts2-core.
https://www.theregister.com/2023/12/21/apache_struts_vulnerable_downloads/
This segment was created for the It’s 5:05 podcast
https://505updates.com/2023-12-27-cybersecurity-and-open-source-headlines/