CVE-2017-5638 Explained: The Apache Struts Bug Behind the Equifax Breach

What Happened

Apache Struts is a popular Java framework for building web applications. Its file-upload component (Jakarta Multipart parser) read the Content-Type header from incoming requests, and under certain error conditions it would evaluate part of that header as an OGNL expression — effectively letting it run as code on the server. An attacker only had to send a single crafted HTTP request with a malformed header.

What This Means

This is an injection vulnerability: untrusted input (an HTTP header) was passed somewhere it could be interpreted and executed rather than treated as plain text, leading directly to remote code execution — no authentication, no user interaction.

Why You Should Care

The Apache Struts team released a patched version on the same day the vulnerability was disclosed. Equifax was breached starting in May 2017 — more than two months later — because the patch had not yet been applied to a public-facing dispute-portal server. The breach exposed Social Security numbers, birth dates, and addresses for roughly 148 million people, and remains one of the most cited examples of a known, patched vulnerability causing a major breach purely through delayed patching.

What You Can Do

• Maintain an inventory of every framework and library in production so you know immediately when a CVE affects you.
• Apply critical security patches on an expedited timeline, separate from normal release cycles — "patch on the next quarterly release" is too slow for critical RCEs.
• Run automated vulnerability scanning against internet-facing applications to catch unpatched, known-vulnerable components.
• Have an incident-response and breach-notification plan ready before you need it — Equifax's delayed and confused public response compounded the damage.