On Sept. 7 Equifax announced a major data breach affecting 143 million customers. The breach was the result of a Remote Code Execution (RCE) attack that exploited a vulnerability in Apache Struts software—an open source framework for creating web applications. On the same day as the breach announcement, Apache Struts published details of CVE- 2017-12611–the fourth in a series of critical RCE vulnerabilities exposed in the Struts platform since March this year alone.
According to an Equifax statement, the data breach was discovered on July 29, but admitted that sensitive data was accessible to the attacker from mid-May. This means that Equifax systems had been compromised for at least 40 days before discovery, raising serious concerns about Equifax’s security practices.
Apache Struts responded quickly in a statement to clarify their position on the breach. Describing their policy of due diligence on securing their software quickly against reported vulnerabilities, Apache’s statement firmly rebuts reports that vulnerabilities published in either July or September could have been targeted unless the attacker had a zero-day exploit. In other words, the attacker would have needed knowledge of the vulnerabilities before Apache released their advisories and fixes.
The timeline of related events makes it clear that fixed versions of Struts were available at or before the security advisories were published, and that known exploits were not available in the wild beforehand. The timeline also bears witness to Apache’s assertions of consistent good practice and tells us that the attack was likely to be a product of poor security practices on the part of Equifax.