IT Professionals:
The University Information Security Office would like to bring to your attention the critical vulnerability CVE-2023-50164 within Apache Struts, an open-source Model-View-Controller (MVC) framework. Attackers who successfully exploit this vulnerability can manipulate file upload parameters to potentially upload a malicious file that allows them to run remote code execution. Affected versions are Apache Struts 2.0.0 through 2.5.32, and Apache Struts 6.0.0 through 6.3.0.1.
At this time, no exploit code has been made publicly available; however, the UISO strongly urges those who run Apache Struts to complete the following mitigation steps before an exploit is made public:
- Upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or later.
- Use a web application firewall (WAF) to help to detect and block malicious traffic.
- Monitor your applications for any suspicious activity that could indicate an attack.
- Review your file upload configurations to ensure that your applications are configured to only accept authorized file types, and to limit the size of uploaded files.
If you suspect that a machine is compromised, please follow report the incident as soon as possible following the instructions for reporting emergency IT incidents.
For more information about the vulnerability and mitigation, please refer to the Apache Security Advisory.
–IT Community Partnerships on behalf of the University Information Security Office