December 21, 2023 at 09:20AM
Sonatype reports low adoption of fixed versions of Struts 2 despite a critical RCE vulnerability (CVE-2023-50164) in the frameworkâs file upload feature. The fix is simple: use updated Struts versions. With active exploitation and ease of automatable attacks, Sonatype urges immediate upgrades to mitigate potential risks and emphasizes vigilant maintenance for open-source software.
Based on the meeting notes, it’s evident that there is a significant risk associated with the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, tracked as CVE-2023-50164, with a severity rating of 9.8 out of 10. The vulnerability stems from a logic bug in the file upload feature, allowing potential abuse by users to save documents in locations they shouldn’t have access to, leading to potential data theft, malware infections, or network intrusions.
Despite the release of a fix for the vulnerability, it’s concerning that around 80 percent of Struts downloads from the Maven Central repository remain vulnerable to CVE-2023-50164, as noted by Sonatype. This low adoption rate is particularly alarming given the active exploitation attempts and the potential for devastating consequences if the vulnerability is exploited.
While the likelihood of exploitation may be lower than previous vulnerabilities in Apache Struts, it’s crucial for application developers to promptly upgrade to the latest version of Struts 2. The potential for exploitation is still considered serious, and the ease of automation for attacks, coupled with widespread usage of Struts 2, poses a real threat.
In light of these concerns, it’s essential for organizations to prioritize addressing the Struts 2 vulnerability and take swift action to upgrade their software components. Additionally, maintaining a vigilant approach to open source software maintenance, including creating software bills of materials and conducting scans for struts2-core, is imperative to mitigate the risks associated with such vulnerabilities.
Please let me know if there are any specific action items or follow-up tasks you’d like to address based on these meeting notes.