CVE-2017-5638

CVE-2017-5638 is a significant vulnerability found in Apache Struts, a widely used open-source framework for developing Java web applications. This flaw in software design or implementation allowed attackers to remotely execute commands on the server running the vulnerable application, leading to potential data breaches. A notable instance of this vulnerability's exploitation was the Equifax Inc. data breach in 2017, where attackers were able to infiltrate the company's servers due to an unpatched Apache Struts vulnerability. Secureworks identified a group known as Gold Melody, linking them to five intrusions between July 2020 and July 2022. These attacks involved the exploitation of various vulnerabilities, including those affecting Oracle E-Business Suite (CVE-2016-0545), Apache Struts (CVE-2017-5638), Sitecore XP (CVE-2021-42237), and Flexera FlexNet (CVE-2021-4104). By exploiting these flaws, the attackers gained initial access to the targeted systems. The same set of vulnerabilities was observed across multiple Secureworks Incident Response (IR) engagements, indicating a consistent pattern in the attack methodology. In addition, other cybercriminal gangs have been observed exploiting known vulnerabilities in internet-exposed servers as initial access vectors. These include flaws in Oracle E-Business and WebLogic (CVE-2016-0545, CVE-2020-14882, and CVE-2020-14750), Sitecore (CVE-2021-42237), Apache Struts (CVE-2017-5638), Log4j (CVE-2021-4104), JBoss MQ Java Message Service (CVE-2017-7504), and Citrix ShareFile (CVE-2021-22941). Kaspersky also observed an attack chain that began with the exploitation of the old vulnerability in Apache Struts 2 (CVE-2017-5638), the same bug used in the Equifax data breach of 2017.