.
NOTE: This is an ongoing situation. This article is regularly updated with the latest information.
About CVE-2023-50164
In December 2023, news broke of CVE-2023-50164—a critical Remote Code Execution (RCE) vulnerability in the Apache Struts 2 open-source Java library.
This vulnerability poses a serious risk to applications with affected versions of Struts and is being actively exploited by attackers to overwrite arbitrary files.
Detailed information regarding this vulnerability can be found on the Sonatype blog and in the Security Vulnerability Details within Sonatype Lifecycle:
Select a Sonatype Solution
- Sonatype Lifecycle (find and fix the CVE-2023-50164 vulnerability across applications)
- Sonatype Repository Firewall (find if CVE-2023-50164 exists in your repository and prevent future downloads of vulnerable versions of CVE-2023-50164)
- Sonatype Nexus Repository (find if CVE-2023-50164 exists in your repository)
Sonatype Lifecycle
The following information helps Sonatype Lifecycle users find and fix CVE-2023-50164 vulnerabilities.
How do I know if my applications are affected by the CVE-2023-50164 vulnerability?
If you have scanned your applications, there are several options to determine if they are affected.
Dashboard
Your Dashboard results show the most recent violations. The Dashboard displays by default when you log in to Lifecycle:
- Click on Dashboard from the left navigation bar
- Select the Violations tab and Filter (top right) to adjust your results. For example, you can filter by Policy Threat Level and set that to critical (9+).
Note: Large organizations with many scanned apps can set the Age filter to Past 7 Days or Past 24 hours to reduce potential slowdowns. - Click Apply in the Filter menu to view your results:
- Click the Export Violations Data button to save a CSV of the results.
- Open the CSV
- Search for CVE-2023-50164 in the H column and/or struts2-core in column E
- Locate the respective Application and Organization in columns C and D
- Contact the respective development teams to have them remediate immediately.
Advanced Search
The Advanced Search feature can also be used to locate CVE-2023-50164. Use the following search criteria:
- To find all versions of struts2-core, enter:
componentCoordinateArtifactId:struts2-core and select Show all components
- To find all versions at a particular stage (e.g. release):
componentCoordinateArtifactId:struts2-core AND policyEvaluationStage:release
- To find components where a vulnerability may not have been identified yet (hasn’t been scanned):
componentName:*struts2-core* and select Show all components
From here, select Export Results to download a CSV and perform your analysis.
You can also use Component Search REST API to search for the vulnerable component.
NOTE: If you scanned applications before the vulnerability was known, the best practice is to run a full, new scan.
Vulnerability Lookup
You can also use Vulnerability Lookup to search for both Sonatype-proprietary and CVE vulnerabilities that Sonatype has data for and obtain in-depth details about them in real time. Select Vulnerability Lookup from the left navigation, and enter CVE-2023-50164 to view details:
I have never scanned my application(s)
You will need to onboard your application to Lifecycle. See Approaches to onboarding applications for help.
You can then run a scan via the CLI to get results.
The following example shows the command line for an Application ID Test123, a URL of http://localhost:8070, and targets the release stage. Replace <version> in the jar file path with your version of the CLI.
java -jar ./Sonatype-iq-cli-<version>.jar -i Test123 -s http://localhost:8070 -a username:password -t release sample-application.zip
CVE-2023-50164 is in my application. How do I fix it?
The best option is to upgrade to a newly released, non-vulnerable version immediately. We recommend you upgrade to versions 2.5.33 or 6.3.0.2 or greater.
NOTE: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
How do I protect my applications going forward?
The best practice is to turn on the Continuous Monitoring feature. Continuous Monitoring lets you use existing policies with notifications to constantly watch (once a day, based on your configuration) for new violations at a specific development stage (such as Release).
Configure Continuous Monitoring in two steps: (1.) turn it on for an application or organization, and then (2.) turn it on at the policy level and set your notifications.
To turn on Continuous Monitoring for an application or organization:
- Select Organization & Policies from the left navigation bar
- Select the organization or application whose policies you want to monitor.
- Under Continuous Monitoring, Select the chevron next to Inherit from Root Organization (Do not monitor).
- In the Continuous Monitoring view, select the desired stage. Ideally, this will be the Operate stage.
- Click Update to turn on Continuous Monitoring.
The next step is to turn on Continuous Monitoring at the policy level. This lets you identify who should receive an email message when a violation of the selected policy occurs.
To turn on Continuous Monitoring in a policy:
- In the Organization & Policy area, create a new policy or open an existing one for an organization or application.
- In the Policy editor, select the Notifications button to scroll to the Notifications section.
- Make sure the Notifications Recipient list contains the desired email address to use for policy violation notifications. If necessary, add a new recipient.
- For the desired email address, select the Continuous Monitoring radial button.
- Click Update to save the policy.
If the Policy editor is grayed out for you at the organization or application level, select the same policy at the Root Org level.
For more information, please see our Continuous Monitoring Concepts guide.
Turn on email notifications
Sonatype Lifecycle can be configured to send email notifications for events such as policy violation notifications. Email is a simple way to start getting notifications to the application security team, and eventually developers once they have been notified to expect them.
This functionality requires an SMTP server, which is configured along with a number of other options in the Mail Configuration section of the config.yml file.
Email notifications from the IQ Server are automatically sent to recipients when a policy alert occurs. The email contains information about the application and violation and provides a link to the full results for further investigation.
For more information, please see our Notification Configuration help topic.
Sonatype Repository Firewall
The following information helps Repository Firewall users identify if CVE-2023-50164 exists in their repository and prevent future downloads of components with vulnerable versions.
How do I determine if my organization is impacted by the latest vulnerability disclosure?
Repository Firewall can audit component downloads from a given proxy repository (Java, .NET, npm, Python). You can view a report that contains all components that have been previously downloaded to your Nexus Repository through that applicable proxy repository.
In Nexus Repository 3.x, the audit results are summarized in the IQ Policy Violations column of the Repositories view. This view is located in the Repository sub-menu of the Administration menu.
This report can be reviewed for any instance of CVE-2023-50164, and you can search for components affected by this CVE. In addition, the Firewall results include
Sonatype-curated vulnerability information—for this CVE and others—and is only available to Repository Firewall and Lifecycle customers.
If this component is found, it indicates it was previously downloaded into your Nexus Repository. As a result, the component is available to applications with privileges to access that proxy repository. To find out if your software has any open-source security vulnerabilities, visit Sonatype’s Vulnerability Scanner, a no-cost scan tool. If you have numerous applications to analyze, we recommend reaching out to Sonatype Sales to trial the Lifecycle solution.
How should we remediate this issue?
Whenever possible, the best option is to upgrade to a newly released, non-vulnerable version immediately. We recommend you upgrade to versions 2.5.33 or 6.3.0.2 or greater.
Firewall's quarantine feature can block vulnerable versions from being reintroduced into your proxy repos. Set your security policies for threat level 9 and 10 to fail at the proxy stage. This will prevent vulnerable versions of Apache Struts from entering your proxy repositories.
However, Sonatype Repository Firewall will not block the Apache Struts component if it is already in your repository unless you first delete the component. Deleting the component from existing proxy repositories is a last resort due to the potential to suddenly break builds and halt development.
If you must delete the component from the repo, give adequate warning and explicit instructions on how to proceed.
How can Firewall help with other known vulnerabilities?
In addition to auditing component downloads, Repository Firewall is designed to quarantine component download requests based on policy configuration. You can configure the policy to quarantine new component downloads for known vulnerable versions of any component based on any range of criticality.
Sonatype Nexus Repository
The following information helps Nexus Repository users identify if CVE-2023-50164 exists in your repository.
How do I determine if my organization is impacted by the latest vulnerability disclosure?
Repository Health Check (RHC) can audit component downloads from a given proxy repository. Users can view a report that contains all components, which have been previously downloaded to your Nexus Repository through that applicable proxy repository.
This report can be reviewed for any instance of CVE-2023-50164. Users can also search for a particular component affected by CVE-2023-50164. In addition, the RHC report includes links to the associated CVE.
If this component is found, it indicates it was previously downloaded into your Nexus Repository. As a result, the component is available to applications with privileges to access that proxy repository. To associate a component to a specific application, please visit Sonatype’s Vulnerability Scanner (NVS) a no-cost scan tool. If you have numerous applications to analyze, we recommend reaching out to Sonatype Sales to trial the Sonatype Lifecycle solution.
How should we remediate this issue?
If you do not have a means of blocking components from being reintroduced to your proxy repositories, you'll need to manually alert development teams to the danger.
Delete vulnerable versions of this component from your proxy repositories only as a last resort, due to the potential for disruption. If you're also a Repository Firewall customer, review the information above to learn how Repository Firewall can automatically quarantine vulnerable versions of this component.
Regardless, the best option is to upgrade to a newly released, non-vulnerable version immediately. We recommend you upgrade to versions 2.5.33 or 6.3.0.2 or greater.
How can Repository Health Check (RHC) help with other known vulnerabilities?
Enabling RHC on all supported repository types provides insight into component downloads across your proxy repositories. In addition, the report includes trend analysis determined by month-to-month component downloads.
Are Sonatype products vulnerable?
Sonatype security researchers conducted an audit of our applications when the issue surfaced and can confirm that none of our products are affected by this vulnerability.
Resources
- For a complete understanding of CVE-2023-50164, reference the official Apache Struts S2-066 documentation. This documentation provides detailed technical insights and recommended strategies for mitigation directly from the source, ensuring that organizations have the most accurate and up-to-date information for addressing the vulnerability.
- For those seeking more detailed technical information on CVE-2023-50164 and the latest in software security best practices, resources such as cybersecurity-focused publications and the Apache Struts official website are highly recommended. To learn about how Sonatype's solutions can assist in addressing these challenges, visit Sonatype's official website.
- For further assistance, please contact your Customer Success representative or log a support ticket.