It’s an all Equifax breach / Apache Struts / CVE-2017-5638 vulnerability issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We discuss what happened, how to check whether you’ve been affected by the breach, and whether you should replace Struts with another framework.
Black Duck has been blogging on CVE-2017-5638 since its initial disclosure in March 2017, including recommendations for how to protect yourself from the vulnerability. Read these articles for more information, and subscribe for the latest security news:
via Krebs on Security: Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time—when hackers accessed the company’s systems in mid-May 2017.
via TechBeacon: Mike Pittenger, VP of security strategy at Black Duck, looks at the causes of the Equifax breach and what your team can do to prevent something similar happening to your organization.
via Black Duck blog (Patrick Carey): The Apache Struts Project Management Committee released a statement regarding the Equifax breach that includes excellent suggestions for securing any open or closed source supporting libraries in software products and services, which I'll share verbatim.
via eSecurity Planet: It's no surprise that Web application attacks are the leading cause of large breaches. The *average* Web application or API has 26.7 serious vulnerabilities. And organizations often have hundreds, thousands, or even tens of thousands of applications.
via Black Duck blog (Tim Mackey): The easy answer to the question is “it depends.” It’s been one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it's reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution disclosures this year, and that’s quite a lot.
via Ars Technica: As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don't break key functions on the site.
via New York Times: On Tuesday, the company said it would waive all fees until Nov. 21 for people who want to freeze their Equifax credit files. It will also refund any fees that anyone has paid since Thursday, though the company would not say whether this would be automatic.
Equifax confirmed that their high-profile, high-impact data breach was due to an exploit of a vulnerability in an open source component, Apache Struts CVE-2017-5638. Apache Struts is a mainstream web framework, widely used by Fortune 100 companies in education, government, financial services, retail, and media. Black Duck open source security experts share their analysis of what happened at Equifax and provide you with guidance to help your company avoid being the next front-page news story. Watch the webinar now.