December 12, 2023 at 01:00AM
Apache has issued a critical security advisory for a flaw in Struts 2, a Java web application framework, potentially allowing remote code execution. Tracked as CVE-2023-50164, the flaw affects various versions, with patches available for some. No workarounds exist, and upgrades to versions 2.5.33 and 6.3.0.2 or higher are highly recommended.
Key takeaways from the meeting notes on Newsroom Vulnerability / Software Security meeting on Dec 12, 2023 are:
– Apache issued a critical security advisory for a flaw (CVE-2023-50164) in Struts 2 web application framework, enabling remote code execution.
– Flaw was discovered by Steven Seeley from Source Incite, impacting Struts versions 2.3.37, 2.5.0 – 2.5.32, and 6.0.0 – 6.3.0.
– Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or higher, with no available workarounds.
– Project maintainers strongly advise all developers to perform the upgrade, considering it a drop-in replacement.
– While no evidence of real-world exploits exists, it’s highlighted that a prior flaw in Struts (CVE-2017-5638) was used in the Equifax breach in 2017.