DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2017-5638: The Billion Dollar Header: Inside the Apache Struts 2 'Equifax' RCE

#security #cve #cybersecurity

The Billion Dollar Header: Inside the Apache Struts 2 'Equifax' RCE

Vulnerability ID: CVE-2017-5638
CVSS Score: 9.8
Published: 2017-03-11

A critical remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts 2 allows attackers to execute arbitrary commands via crafted HTTP headers. This flaw was the entry point for the 2017 Equifax breach.

TL;DR

Apache Struts 2 decided to evaluate error messages as code. If an attacker sends a malformed 'Content-Type' header containing OGNL commands, the server tries to process the error, inadvertently executes the attacker's code, and hands over a shell. This is an unauthenticated RCE with system-level privileges.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-917 (Improper Neutralization of Special Elements in Expression Language Statement)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (HTTP Headers)
  • EPSS Score: 99.93% (Highest Percentile)
  • Impact: Unauthenticated Remote Code Execution (System/Root Privileges)
  • KEV Status: Active (Added Nov 2021)

Affected Systems

  • Apache Struts 2.3.5 - 2.3.31
  • Apache Struts 2.5 - 2.5.10
  • Apache Struts 2: 2.3.5 - 2.3.31 (Fixed in: 2.3.32)
  • Apache Struts 2: 2.5.0 - 2.5.10 (Fixed in: 2.5.10.1)

Code Analysis

Commit: 3523064

Initial patch for S2-045 exception handling

LocalizedTextUtil.findText(..., null, new Object[] { e.getMessage() })
Enter fullscreen mode Exit fullscreen mode

Commit: b06dd50

Further hardening of the Multipart parser

Validation logic updates
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Metasploit: Reliable Metasploit module for S2-045
  • GitHub: Python based PoC script (struts-pwn)
  • ExploitDB: Raw OGNL injection proof of concept

Mitigation Strategies

  • Upgrade Apache Struts 2 to the latest patched version.
  • Implement WAF rules to block OGNL injection patterns in HTTP headers.
  • Switch to a different Multipart parser (Pell or Cos) in struts.xml if patching is delayed.

Remediation Steps:

  1. Identify all web applications using the Struts 2 framework.
  2. Check the version of struts2-core-x.x.x.jar in the WEB-INF/lib directory.
  3. If version is < 2.3.32 or (>= 2.5.0 and < 2.5.10.1), schedule immediate downtime.
  4. Replace the JARs with the patched versions provided by Apache.
  5. Restart the application server (Tomcat, JBoss, WebSphere).
  6. Verify the fix by attempting to replay the PoC payload against a non-production instance.

References

Read the full report for CVE-2017-5638 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)