Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Patch available for critical RCE vulnerability In Apache Struts
Image
Published : 11/12/2023
Reference:
Advisory #2023-148
Version:
1.1
Affected software:
Struts 2.3.37 (end of life)
Struts 2.0.0
Struts 2.5.0
Struts 2.5.32
Struts 6.0.0
Struts 6.3.0
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2023-50164
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Sources
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
Risks
CVE-2023-34051 is a critical vulnerability, with a CVSS score of 9.8, that is affecting Apache Struts 2 open-source development framework.
The exploitation of the vulnerability could lead to remote code execution and have severe consequences, with high impact to confidentiality, integrity and availability of the targeted systems. Attackers have been observed attempting to leverage this vulnerability in attacks that are using a publicly available proof-of-concept exploit code.
Description
CVE-2023-50164 vulnerability may allow an attacker to manipulate file upload parameters to enable path traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
The vulnerability is affecting Apache Struts 2.0.0 through 2.5.32 and Apache Struts 6.0.0 through 6.3.0.1.
Recommended Actions
To address this vulnerability, Apache recommends users to urgently upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater.
Version Notes to find more details about performed bug fixes and improvements are available at:
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.33
https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.3.0.2
References
https://nvd.nist.gov/vuln/detail/CVE-2023-50164
https://cwiki.apache.org/confluence/display/WW/S2-066
https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.3.0.
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.33
https://www.tenable.com/cve/CVE-2023-50164
https://www.securityweek.com/apache-patches-critical-rce-vulnerability-in-struts-2/