Number: AL23-019
Date: December 15, 2023
Audience
This Alert is intended for IT professionals and managers of notified organizations.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
On December 4, 2023, Apache released a security bulletin to address a critical vulnerability (CVE-2023-50164) affecting Apache Struts 2 versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0Footnote 1. The vulnerability is rated as a 9.8 on the Common Vulnerability Scoring System (CVSS3) and can allow a malicious actor to upload malicious files and perform remote code executionFootnote 2.
The Canadian Centre for Cyber Security (Cyber Centre) and our cyber security partners have published alerts and advisories encouraging all organizations to apply patches to the affected productsFootnote 3Footnote 4Footnote 5Footnote 6.
Historically, vulnerabilities impacting Struts 2 have been significant due to the broad adoption of the Apache Struts 2 framework within the industry.
The Cyber Centre has verified publicly available proof of concepts (POCs) and is aware of malicious activity within Canada.
The Cyber Centre strongly recommends that organizations patch the affected Apache Struts 2 systems to versions 2.5.33 and 6.3.0.2 or greater at their earliest opportunity. Apache Struts versions 2.0.0 to 2.3.37 are vulnerable but are no longer supported. Impacted organizations are encouraged to update any unsupported products to a supported version.
Suggested actions
The Cyber Centre recommends organizations:
Verify the existence of Apache Struts on their hosts, monitor for signs of exploitation and patch software using Struts 2 as soon as possible.
For Linux systems, the lsof command may be used to identify commonly named struts files loaded within applications with the following command:
- sudo lsof -w | grep -i "struts2.*\.jar"
For Windows systems, it may be possible to determine the location of commonly named Apache Struts archives by using the following Powershell command replacing <DRIVEPATH> for each mounted drive.
- Get-ChildItem -Path <DRIVEPATH> -Recurse -ErrorAction SilentlyContinue -Filter '*struts*.jar'
This technique of detection is not a definitive method in the identification of all impacted systems and products. The Cyber Centre strongly recommends that organizations monitor vendor advisory spaces to receive notifications of impact along with mitigation recommendations and patches.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actionsotnote 7 with an emphasis on the following topics:
- Consolidate, monitor, and defend Internet gateways
- Patch operating systems and applications
- Isolate web-facing applications
If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.
Partner Reporting
ACSC - Critical Vulnerability in popular Java framework Apache Struts2 – Alert
CISA - The Apache Software Foundation Updates Struts 2 – Alert
NCSC-NZ - Cyber Security Alert: CVE affecting Apache Struts 2 – Advisory