Apache Software Foundation issued a critical security update addressing Struts 2 file upload vulnerability (CVE-2023-50164), warning of potential remote code execution.

Affected Systems:

• Apache Struts versions include: 2.0.0 - 2.3.37 (EOL), 2.5.0 - 2.5.32, and 6.0.0 - 6.3.0.

Security Risks

The successful exploitation of this vulnerability enables an attacker to manipulate file upload parameters, potentially allowing path traversal. This manipulation could lead to the upload of a malicious file, escalating the risk of remote code execution.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to system administrators to:

• Follow Apache Struts Security Advisory S2-066 to lower the risk of potential exploits, protect systems, and ensure their security.

• Apply the required and latest security updates as soon as possible.

The recommended software versions for upgrade are:

• Apache Struts versions: 2.5.33 , 6.3.0.2 or greater.

• Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us on 9009.

References

• Apache Struts Security Advisory S2-066

• Apache Struts Migration Guide

• Apache Struts Official Announcement - 2023