CVE-2024-53677: Critical RCE vulnerability in Apache Struts 2 - what you need to know

Background about the vulnerability

Rehberger’s research outlines how the memory feature introduced in ChatGPT significantly increased the risk of data exfiltration. This feature enables the AI to retain information across sessions, enhancing user experience but also creating a new attack vector. Attackers can leverage this capability to store malicious instructions in the application’s memory, leading to ongoing surveillance and data theft. 

The issue exploits the memory functionality launched by OpenAI last February and subsequently made available to ChatGPT Free, Plus, Team, and Enterprise users at the beginning of this month. At the end of last year, OpenAI took steps to address a prevalent data exfiltration issue by implementing an API called url_safe. The call is meant to mitigate various types of attacks in which prompt injection attempts will be focused on the attempt to render images from third-party servers to then use the URL as a data exfiltration channel. Specifically, the API is supposed to determine whether a URL or image is safe for display to the user, helping to thwart numerous attacks where prompt injection seeks to exploit third-party servers to extract data through URLs. 

In an earlier blog post from December, Rehberger highlighted how the iOS application is vulnerable due to the security check (url_safe) being performed on the client-side. Gregory Schwartzman authored a paper that delves into this issue with detail. 

Nevertheless, the newly released macOS and Android clients continued to have vulnerabilities in their updated releases, with the security verification (url_safe) still being handled on the client side. As mentioned in The Hacker News’s report from five days after the original research publication, a recent enhancement to ChatGPT has escalated the risk associated with this vulnerability – OpenAI has introduced a feature called Memories. “ChatGPT’s memories evolve with your interactions and aren’t linked to specific conversations,” OpenAI says. “Deleting a chat doesn’t erase its memories; you must delete the memory itself.” 

What is the CVE-2024-53677?

Does CVE-2024-53677 affect me?

Organizations using Java-based applications built with Apache Struts 2 are at risk if their versions fall within the affected ranges and rely on the vulnerable File Upload Interceptor component. Commonly affected sectors include government, financial services, and telecommunications, where Struts 2 continues to see substantial usage despite the availability of alternative frameworks. 

To determine your risk: 

• Identify your version – Audit all Java applications using Apache Struts 2 and check their versions.
• Assess component usage – Verify whether the File Upload Interceptor component is implemented.
• Monitor for activity – Investigate logs for suspicious activity, especially related to file uploads.

Has CVE-2024-53677 been actively exploited in the wild?

While no confirmed exploitation of CVE-2024-53677 has been publicly reported, history suggests caution. Apache Struts vulnerabilities have been prime targets for attackers, with notable incidents like the Equifax breach in 2017, attributed to a similar flaw.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlights multiple Struts RCE vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, indicating their attractiveness to threat actors. 

Given Struts 2’s download volume – estimated at 300,000 monthly requests, with a significant portion still containing critical bugs – organizations should treat this vulnerability as a high-priority issue.

How to fix CVE-2024-53677

Organizations applying to the above conditions should Upgrade to a Secure Version: The most effective solution is to upgrade to Apache Struts 2.6.4.0 or later. This update not only addresses the vulnerability but also eliminates the deprecated File Upload Interceptor component. 

Additionally, admins are advised to migrate to Action File Upload Interceptor immediately. If your application relies on the deprecated File Upload Interceptor, migrating to the Action File Upload Interceptor is essential. This process involves rewriting your actions to ensure compatibility with the newer mechanism, which offers enhanced security and integration features. 

For further mitigations it is also strongly recommended to: 

1. Monitor vendor advisories – Stay updated on patches and recommendations for applications utilizing Apache Struts. 
2. Investigate and monitor systems – Check logs and systems for unusual activity, particularly around file uploads. 
3. Apply patches – Ensure all Java applications using Apache Struts are patched promptly. 
4. Assess your environment – Proactively scan systems for potential compromise and misconfigurations. 

CVE-2024-53677 underscores the ongoing risks posed by outdated or improperly configured software components. With its potential for severe exploitation, organizations must act quickly to assess their exposure and apply the necessary updates. 

By upgrading to a secure version and adopting modern file upload mechanisms, businesses can significantly reduce their attack surface and safeguard their systems against this critical flaw.

Further reading

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. Q3 2024 Vulnerability Watch 
2. IBM’s Cost of a Data Breach 2024: What we learned 
3. Fixing the RCE flaw in the Common Unix Printing System (CUPS) 
4. Vulnerability disclosure policy (and how to get it right) 
5. OpenSSH again? How to fix CVE-2024-7589