11 December 2023

Apache addresses high-risk Struts2 RCE bug


Apache addresses high-risk Struts2 RCE bug

The Apache Software Foundation issued security updates to fix a remote code execution vulnerability in the Apache Struts 2 software package.

Apache Struts is an open-source web development framework for Java web applications. It’s widely used to build corporate websites in sectors including education, government, financial services, retail and media.

Tracked as CVE-2023-50164, the vulnerability was described as a path traversal issue that exists due to input validation error when processing directory traversal sequences in path names. The vulnerability could be exploited by a remote hacker to upload a malicious file to the server and execute it. The Flaw impacts Struts 2.0.0 - Struts 2.3.37 (EOL), Struts 2.5.0 -Struts 2.5.32, Struts 6.0.0 - Struts 6.3.0.

While there’s no indication that this vulnerability has been exploited in the wild, users are strongly advised to upgrade to Apache Struts version 6.3.0.2 or later.

Struts vulnerabilities have been repeatedly targeted by hackers over the years, including the infamous hack of the US credit reporting agency Equifax in May 2017.

Earlier this month, Australian software company Atlassian released security updates to address a slew of high-risk vulnerabilities (CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523), all of which, if exploited, could lead to remote code execution.

Back to the list

Latest Posts

UAC-0185 targets Ukrainian defense forces and defense industry sector

UAC-0185 targets Ukrainian defense forces and defense industry sector

The emails included a malicious link, clicking on which triggered the download of malware.
9 December 2024
New malware botnet Socks5Systemz powers illegal proxy service

New malware botnet Socks5Systemz powers illegal proxy service

The botnet relies on loaders like PrivateLoader, SmokeLoader, and Amadey to persist on compromised systems.
9 December 2024
A new technique can bypass existing isolation mechanisms in modern browsers

A new technique can bypass existing isolation mechanisms in modern browsers

The method works across all types of browser isolation.
9 December 2024