Apache Struts OGNL RCE (CVE-2017-5638)

The Apache Struts 2 OGNL injection RCE behind the Equifax breach — a Content-Type-header-based exploit that ran in late 2017.

Definition

CVE-2017-5638 is a remote code execution in Apache Struts 2's Jakarta Multipart parser. A crafted `Content-Type` header containing an OGNL expression is parsed and evaluated, leading to arbitrary command execution under the Tomcat process. The bug came to widespread public attention as the root cause of the Equifax breach (147 million U.S. records leaked) — Equifax had been notified of the vulnerability two months before exploitation.

Mitigation

Upgrade Struts 2 to 2.3.32 / 2.5.10.1 or later. Block crafted Content-Type headers at WAF level as defence-in-depth.

See also

References