Critical Vulnerability in popular Java framework Apache Struts2

This Alert is relevant to Australians who use Java applications which use the Struts2 Framework. Multiple enterprise Java applications use this framework and are likely at risk. This alert is intended to be understood by slightly more technical users. Users are encouraged to apply any available patches and workarounds as soon as possible, and monitor for patches in any Java applications in use.

Background / What has happened?

• A Critical RCE vulnerability has been found in the Apache Struts2 Framework with ‘flawed file upload logic’.
• This can allow a temporary file upload to instead be uploaded to any directories and allow execution, such as the deployment of a web shell.
• Patches have been released for the framework itself, but mitigation will also require vendors applying these patches in all applications which use the framework. This includes multiple enterprise-oriented web applications.
• Exploitation attempts have been observed globally.

Affected versions / applications:

• Struts 2.3.37 (End Of Life)
• Struts 2.5.0 –> Struts 2.5.32
• Struts 6.0.0 –> Struts 6.3.0.1

Struts is a popular Model-View-Controller (MVC) Java Framework used for building enterprise-oriented web applications.

Vulnerabilities in Struts have been popular targets for threat actors in the past, such as the Equifax breach in 2017.

Exact usage of File Upload in Struts may differ across applications.

Mitigation / How do I stay secure?

• There is currently no official remediation advice other than to patch affected systems ASAP.
• Additional possible security implementations which may help reduce risk include:
  • sanitisation checks on uploaded file data.
  • limit server application permissions to allowed directories.
• Track which applications in use within your environments are using Struts frameworks, and monitor for patches as they are released.
• On internet facing Java systems monitoring for newly created files outside directories where they are expected.
• Continue to monitor the situation and respond to new information as it comes to light.

How do I know if I use Apache Struts?

• There are plugins available for security tools such as Qualys and Tenable to detect usage and version of Struts2:
  • https://www.tenable.com/plugins/nessus/186643
  • https://threatprotect.qualys.com/2023/12/08/apache-struts2-remote-code-execution-vulnerability-cve-2023-50164/
• System operators may look for the presence of the following files inside of Tomcat subdirectories to help identify if Struts is in use and what version. (X is likely version running)
  • struts-core-X.jar
  • struts2-core-X.jar

Assistance / Where can I go for help?

Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).