Hi Sonatype Community,
We’re reaching out to make you aware of a critical Remote Code Execution (RCE) vulnerability in the Apache Struts 2 open-source Java library (CVE-2023-50164).
We want to assure you that Sonatype has confirmed that none of our products are affected by this vulnerability.
These are the 3 key steps we recommend to determine your application risk:
- Understand Severity and Implications
This vulnerability poses an extreme risk to applications using affected versions of Struts. It is being actively exploited by attackers using a flaw in Apache Struts’s file upload system and can result in arbitrary code execution on the server.
This could lead to outcomes like unauthorized data access, system compromise, or even complete control over the affected systems, including placing malicious files within systems.
Sonatype’s combined team of Security Researchers and ML/AI techniques have identified more than 1,000 additional open source projects that include the same critical risk. Given the prominence of this vulnerability, we anticipate a sustained and diverse range of attacks leveraging this weakness.
- Assess Impact and Begin Remediating
Sonaype fast-tracked this vulnerability, which is available within Sonatype IQ Server.
To determine whether you might be impacted, please see our Find & Fix CVE-2023-50164 Guide for assistance locating and remediating the vulnerable component using our different solutions.
Key steps include updating Apache Struts to the latest, patched version to address this vulnerability.
- Maintain Continuous Awareness
As this is an ongoing and evolving situation, this Sonatype blog post and the Find & Fix guide will continue to be updated with the latest information.
If you have any questions or concerns, we are also happy to answer them in the thread below or in the Apache Struts 2 RCE vulnerability category here in the Community.