• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Apple addressed the seventh actively exploited zero-day

 | 

Hackers deploy DripDropper via Apache ActiveMQ flaw, patch systems to evade detection

 | 

A Scattered Spider member gets 10 years in prison

 | 

FBI: Russia-linked group Static Tundra exploit old Cisco flaw for espionage

 | 

US CERT/CC warns of flaws in Workhorse Software accounting software used by hundreds of municipalities in Wisconsin

 | 

DOJ takes action against 22-year-old running RapperBot Botnet

 | 

Google fixed Chrome flaw found by Big Sleep AI

 | 

Pharmaceutical firm Inotiv discloses ransomware attack. Qilin group claims responsibility for the hack

 | 

A hacker tied to Yemen Cyber Army gets 20 months in prison

 | 

Exploit weaponizes SAP NetWeaver bugs for full system compromise

 | 

Allianz Life security breach impacted 1.1 million customers

 | 

U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog

 | 

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Apache Foundation rejects allegation Equifax hackers exploited CVE-2017-9805 in Struts

Apache Foundation rejects allegation Equifax hackers exploited CVE-2017-9805 in Struts

Pierluigi Paganini September 11, 2017

Media and experts speculate Equifax Hack was the result of the exploitation of the recently discovered critical vulnerability CVE-2017-9805 in Apache Struts.

Last week Equifax reported a huge data breach, hackers accessed its systems between mid-May and late July. The incident affected roughly 143 million U.S. consumers and some customers in the U.K. and Canada.

The hackers accessed customers’ personal information, including names, social security numbers, dates of birth, addresses and, for some consumers also the driver’s license numbers. Equifax reported that hackers also accessed credit card numbers of roughly 209,000 consumers in the United States and dispute documents belonging to 182,000 people.

The company did not provide details of the attack, it only revealed that attackers exploited a web application vulnerability to access the information.

“criminals exploited a U.S. website application vulnerability to gain access to certain files.” Stated Equifax.

More details on the attack were shared by the financial services firm Baird that claimed the hackers exploited a vulnerability in the Apache Struts framework used by Equifax for its web applications.

“Our understanding is that data entered (and retained) through consumer portals/interactions (consumers inquiring about their credit reports, disputes, etc.) and data around it was breached via the Apache Struts flaw,” states a report published by Baird.

Immediately security experts concluded that hackers have exploited the recently discovered critical vulnerability CVE-2017-9805 in Apache Struts.

The flaw was discovered by security researchers at LGTM (lgtm.com), it could be exploited by a remote attacker to run malicious code on the vulnerable servers.

The remote code execution vulnerability exists when the REST plugin is used with the XStream handler for XML payloads.

Equifax data breach

“Security researchers at lgtm.com have discovered a critical remote code execution vulnerability in Apache Struts — a popular open-source framework for developing web applications in the Java programming language.” states the security advisory published by lgtm.com.”All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency. This vulnerability has been addressed in Struts version 2.5.13.”

The vulnerability tracked as CVE-2017-9805 is related to the way Struts deserializes untrusted data, it affects all versions of Apache Struts since 2008, from Struts 2.5 to Struts 2.5.12.

The vulnerability was reported to Apache Struts development team in mid-July, but it was addressed only on September 5 with the release of Struts version 2.5.13.

According to the expert that has discovered the vulnerability, the flaw is easy to exploit, an attacker can trigger it by submitting a malicious XML code in a format.

“The Struts framework is used by an incredibly large number and variety of organizations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.” said Man Yue Mo, the LGTM security researcher that discovered the vulnerability.

The lgtm security team has developed an exploit code for this vulnerability, but  it hasn’t disclosed it.

However, on September 6, it was reported the availability of a #Metaslpoit module to exploit the CVE 2017-9805, the module is available at the following URL:

https://github.com/rapid7/metasploit-framework/commit/5ea83fee5ee8c23ad95608b7e2022db5b48340ef

 

 

 

Currently the vulnerability is being exploited in the wild, anyway there is no  evidence of exploitation before the patch was released.

Over the weekend the Apache Struts Project Management Committee (PMC) released an official statement to highlight that it is still unclear if the Equifax breach is linked to any Struts vulnerability, in particular the CVE-2017-9805.

 “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any.” Wrote the veeo for Struts René Gielen, in a post,

Gielen, who analyzed the vulnerability timeline, explained that while Equifax was breached in mid-May 2017, the Struts vulnerability CVE-2017-9805 was announced only in early September 2017.

Gielen therefore speculates that “the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time [July] – a so-called Zero-Day-Exploit.”

The outlet QZ.com alleged that the hackers exploited a flaw in Apache Struts, it also pointed out that the vulnerability may have been present in Struts for nine years.

Apache development ream rejected the accusation with the following statement:

“Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here – we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP.”

It is more likely the hackers have targeted Equifax by exploiting the CVE-2017-5638 a vulnerability exploited in the wild since March.

“For either vulnerability, the process is basically the same. The attacker sends a specific HTTP request containing some special syntax,” explained Jeff Williams, co-founder and CTO at Contrast Security. “In one case, an OGNL expression. In the other, a serialized object. The Equifax Struts application would receive this request, and get tricked into executing operating system commands. The attacker can use these to take over the entire box – do anything the application can do. So, they probably stole the database credentials out of the application, ran some queries, and then exfiltrated the data to some server they control on the internet.”

New York Attorney General Eric T. Schneiderman announced the an official investigation into the Equifax security breach.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Struts CVE-2017-9805 RCE, Equifax)

[adrotate banner=”12″]


facebook linkedin twitter

CVE-2017-9805 Cybercrime Equifax data breach Hacking Struts

you might also like

Pierluigi Paganini August 21, 2025
Apple addressed the seventh actively exploited zero-day
Read more
Pierluigi Paganini August 21, 2025
Hackers deploy DripDropper via Apache ActiveMQ flaw, patch systems to evade detection
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Apple addressed the seventh actively exploited zero-day

    Security / August 21, 2025

    Hackers deploy DripDropper via Apache ActiveMQ flaw, patch systems to evade detection

    Malware / August 21, 2025

    A Scattered Spider member gets 10 years in prison

    Cyber Crime / August 21, 2025

    FBI: Russia-linked group Static Tundra exploit old Cisco flaw for espionage

    Intelligence / August 21, 2025

    US CERT/CC warns of flaws in Workhorse Software accounting software used by hundreds of municipalities in Wisconsin

    Security / August 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT