BLOG: 12 Vulnerabilities of Christmas CVE-2017-5638
CVE-2017-5638 is a critical vulnerability affecting certain versions of Apache Struts, on which many current Java-based web applications are built. This vulnerability has also achieved a maximum 100/100 OVS score due to the way in which threat actors have been actively exploiting it for a variety of objectives.
CVE-2017-5638 is a severe vulnerability affecting Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1. This vulnerability was disclosed after Apache patched the vulnerability on 8 March 2017, which was accompanied by a US-CERT security advisory on the same day. The vulnerability allows threat actors to achieve Remote Code Execution (RCE) by sending a malicious payload with a modified “Content-Type” request header when uploading a file to the Jakarta Multipart parser, which improperly validates user input. This would provide threat actors with an easy method to achieve initial compromise on an organisation’s servers hosting affecting the Java web-applications, potentially allowing lateral movement to database instances and other hosts.
Similarly to previous entries in this blog series, CVE-2017-5638 was rapidly exploited by opportunistic threat actors looking to target vulnerable hosts for crypto-jacking purposes before organisations patched their Struts-based web applications. Threat actors like Zealot, MassMiner,Beapy, Panda and other cybercriminals rapidly added the vulnerability to their arsenal to target organisations with crypto-mining malware, allowing the cybercriminals to mine Monero, Bitcoin and other cryptocurrencies using the compromised hosts.
CVE-2017-5638 was then exploited by threat actors in high-profile breaches, such as the 2017 Equifax and Vevo breaches, which targeted unpatched Struts-based applocations on both organisations’ public-facing infrastructure, leading to the exfiltration of 3.12 TB of Vevo data and 143m Equifax customer records, one of the largest recorded breaches at the time. The vulnerability has also been observed being exploited in 2018 by the infamous Mirai botnet, a notorious botnet looking to compromise IoT devices for use in DDoS attacks.
Despite the vulnerability being published in 2017 and exploited mainly in 2018, cybercriminals are still registering interest in exploiting CVE-2017-5638 on underground hacking forums. The following post on a Chinese-language forum discusses the vulnerability and how to exploit it:
Figure 3: Chinese-language forum users discussing CVE-2017-5638
Due to the continued exploitation in the wild of this critical vulnerability by a variety of threat actors, Orpheus has attributed a maximal score of 100/100 to CVE-2017-5638. In addition, we recommend organisations apply the following mitigation advice in order to patch vulnerable instances in order to avoid exploitation and initial compromise:
Upgrade vulnerable instances to the latest version of Struts
Whitelist “Content-type” headers to block malicious payloads attempting to exploit the vulnerability
Switch Multipart parsers to a third-party plugin
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.