It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been affected by the breach, and discuss whether you should replace Struts with another framework.
Also recommended reading are the following articles from the Synopsys Software Integrity blog, which you should subscribe to for the latest security news. Synopsys was blogging on CVE-2017-5638 and what you could do to protect yourself against the vulnerability from its initial disclosure in March.
via Krebs on Security: Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time—when hackers accessed the company’s systems in mid-May 2017.
via TechBeacon: Mike Pittenger, VP of security strategy at Synopsys, looks at the causes of the Equifax breach and what your team can do to prevent something similar happening to your organization.
via Synopsys Software Integrity blog (Patrick Carey): The Apache Struts Project Management Committee released a statement regarding the Equifax breach that includes excellent suggestions for securing any open or closed source supporting libraries in software products and services, which I’ll share verbatim.
via eSecurity Planet: It’s no surprise that Web application attacks are the leading cause of large breaches. The *average* Web application or API has 26.7 serious vulnerabilities. And organizations often have hundreds, thousands, or even tens of thousands of applications.
via Synopsys Software Integrity blog (Tim Mackey): The easy answer to the question is “it depends.” It’s been one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it’s reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution disclosures this year, and that’s quite a lot.
via Ars Technica: As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don’t break key functions on the site.
via New York Times: On Tuesday, the company said it would waive all fees until Nov. 21 for people who want to freeze their Equifax credit files. It will also refund any fees that anyone has paid since Thursday, though the company would not say whether this would be automatic.
Equifax confirmed that their high profile, high impact data breach was due to an exploit of a vulnerability in an open source component, Apache Struts CVE-2017-5638. Apache Struts is a mainstream web framework, widely used by Fortune 100 companies in education, government, financial services, retail and media. Synopsys open source security experts share their analysis of what happened at Equifax and provide you with guidance to help your company avoid being the next front page news story.