Apache Struts Content-Type RCE (CVE-2017-5638)
Severity Assessment
| Metric | Rating | Notes |
|---|---|---|
| Exploitability | 10/10 | Trivially exploitable via a single HTTP request; no authentication required. |
| Impact | 10/10 | Full remote code execution with web server process privileges. |
| Weaponization | 10/10 | Multiple public exploits and Metasploit modules available within days of disclosure. |
| Patch Urgency | 10/10 | Active exploitation in the wild; responsible for the Equifax breach. |
| Detection Coverage | 6/10 | Detectable via WAF rules and network signatures, but varied enterprise coverage. |
Executive Summary
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts 2, a widely used open-source web application framework for Java. The vulnerability exists in the Jakarta Multipart parser, which improperly handles crafted Content-Type HTTP headers. An attacker can exploit this flaw by sending a specially crafted HTTP request with a malicious Content-Type header containing an Object-Graph Navigation Language (OGNL) expression. The OGNL expression is evaluated by the Struts framework, resulting in arbitrary command execution on the server.
The vulnerability affects Apache Struts versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10. Apache released patches (versions 2.3.32 and 2.5.10.1) on March 6, 2017, the same day the vulnerability was publicly disclosed through security advisory S2-045. Exploitation in the wild was observed within hours of the disclosure.
This vulnerability is best known as the attack vector used in the 2017 Equifax data breach, which compromised the personal data of 147 million individuals and resulted in a $700 million settlement. The Equifax breach occurred because the company failed to patch the vulnerability for approximately two months after the fix was available.
Exploit Chain
Stage 1: Crafted HTTP Request
The attacker sends an HTTP request to a Struts 2 application with a malicious Content-Type header. The header contains an OGNL expression embedded within what would normally be a multipart form data content type declaration.
Stage 2: Jakarta Parser Error Handling
The Jakarta Multipart parser attempts to process the malformed Content-Type header. When parsing fails, the error handling code includes the header value in an error message that is subsequently processed by the OGNL expression evaluator.
Stage 3: OGNL Expression Evaluation
The Struts framework evaluates the OGNL expression embedded in the error message. OGNL provides access to Java runtime methods, enabling the attacker to execute arbitrary operating system commands through the Java Runtime.exec() method.
Stage 4: Command Execution
The operating system command specified in the OGNL expression executes with the privileges of the web server process. This typically provides the attacker with the ability to read files, write files, and establish reverse shell connections for interactive access.
Stage 5: Post-Exploitation
With command execution on the web server, attackers can install persistent backdoors, pivot to internal network resources, access databases connected to the web application, and exfiltrate data.
Detection Guidance
Network-based detection should monitor HTTP traffic for Content-Type headers containing OGNL expressions. Key indicators include Content-Type headers containing the strings “multipart/form-data” combined with Java class references such as “java.lang.ProcessBuilder,” “java.lang.Runtime,” or “getRuntime().exec().” Intrusion detection signatures should match on these patterns in HTTP request headers.
Web application firewalls should be configured to reject HTTP requests with Content-Type headers exceeding a reasonable length or containing characters and patterns inconsistent with legitimate multipart form data. Rules blocking OGNL-specific syntax in HTTP headers provide effective protection.
Host-based detection should monitor web server processes for unexpected child process creation, particularly command interpreters (bash, cmd.exe, PowerShell) spawned by Java processes. File integrity monitoring on web application directories can detect the deployment of web shells following exploitation.
Application-level logging should capture the full Content-Type header of incoming requests. Anomalous Content-Type values, particularly those containing parentheses, hash symbols, or Java class names, indicate exploitation attempts.
Indicators of Compromise
Network indicators:
- HTTP requests with Content-Type headers containing OGNL expressions
- Content-Type headers containing “java.lang.Runtime” or “java.lang.ProcessBuilder”
- Content-Type headers containing “#cmd=” or “#iswin=”
- Anomalously long Content-Type headers (legitimate headers are typically under 100 characters)
Host indicators:
- Unexpected child processes spawned by Java/Tomcat web server processes
- Web shell files created in web application directories (JSP, WAR files)
- Unexpected outbound connections from web server processes
- Modified system files or new user accounts created by the web server process
Log indicators:
- Jakarta Multipart parser error messages containing OGNL syntax
- Struts error logs referencing malformed Content-Type headers
- Web server access logs showing POST requests with anomalous Content-Type values
Disclosure Timeline
2017-03-06 — Vulnerability Disclosed and Patched
Apache published security advisory S2-045 and released patched versions 2.3.32 and 2.5.10.1. Proof-of-concept exploit code appeared publicly within hours.
2017-03-07 — Active Exploitation Begins
Security researchers observed widespread scanning and exploitation attempts targeting internet-facing Apache Struts applications.
2017-03-10 — NVD Entry Published
NIST National Vulnerability Database published the CVE-2017-5638 entry with a CVSS 3.0 base score of 10.0.
2017-05-13 — Equifax Breach Begins
Attackers exploited CVE-2017-5638 on an unpatched Equifax web portal, beginning the data exfiltration that would compromise 147 million records.
2017-07-29 — Equifax Discovers Breach
Equifax detected suspicious network traffic from its online dispute portal, approximately 78 days after the initial compromise.
2017-09-07 — Equifax Public Disclosure
Equifax publicly disclosed the data breach, which was traced back to exploitation of CVE-2017-5638.
Sources & References
- NIST NVD: CVE-2017-5638 — NIST NVD, 2017-03-10
- CISA: Known Exploited Vulnerabilities Catalog — CISA, 2022-01-01
- Apache: Security Bulletin S2-045 — Apache Software Foundation, 2017-03-06
- Rapid7: Apache Struts CVE-2017-5638 and the Equifax Breach — Rapid7, 2017-09-14