Apache Struts Vulnerability Exploited in Equifax Breach (CVE-2017–5638)


Timeline of Events

  • March 6: Apache discloses Struts 2 vulnerability in Jakarta Multipart parser
  • March 7: Exploit made public (exploits-db)
  • Mid-May to July: Hackers gain access to Equifax database
  • July 29: Equifax discovers the data breach
  • September 7: Equifax publicly announces the data breach (press release)
  • September 9: The Apache Software Foundation publishes a statement regarding Apache Struts
  • September 13: Equifax confirms that CVE-2017–5638 was the vulnerability that was exploited


What’s the fix?

  • Recommended — Upgrade to Struts 2.3.32 or Struts
  • Workaround — Switching to a different implementation of the Multipart parser or remove the File Upload Interceptor from the stack
  • Workaround — Implement a Java Servlet filter which will discard requests containing malformed Content-Type headers

Who’s to blame?

An Ounce of Prevention

  • Follow a rigorous schedule for staying up-to-date on security patches
  • Deploy a web application firewall (WAF) which is a security appliance capable of blocking unusual HTTP requests with malformed Content-Type headers
  • Automate detection of abnormal network or database activity so it can trigger alarms




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store