BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Struts Flaw behind Equifax Breach Disclosed and Patched in March

| by Tim Hodkinson Follow 5 Followers , Charles Humble Follow 38 Followers on Sep 13, 2017. Estimated reading time: 2 minutes |

Reports have appeared in the press and online that the hackers who stole the personal details of 143 million Americans from the Equifax credit report company exploited a security flaw in the Apache Struts framework. Struts is an open source MVC framework for creating Java-based Web applications. The Apache Software foundation, who act as custodians of the framework, have released a statement responding to the claims.

Initial media reports suggested that the breach may have been as a result of an undisclosed flaw in Struts, but Equifax  have now admitted that CVE-2017-5638 was the struts vulnerability used in the attack, and, since this article was first published, the Apache Foundation have also confirmed it.  This flaw, which is in the Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1, was disclosed and patched by the Apache Struts team in March.  However  the breach occurred at Equifax in mid May, and remained open until Equifax discovered it at the end of July. During this time attackers had access to the personal data of customers including social security numbers, dates of birth and addresses. 209,000 customers also had their credit card numbers accessed and the personal data of an unknown number of UK and Canadian citizens was also exposed.  

Once almost ubiquitous with Java web application development, the footprint Struts has across the industry remains substantial, especially in the enterprise legacy application space. The Project Management Committee of the Apache Software Foundation has responded to the claims in the media coverage by making several points. First, that it is still unclear whether or not the source of the breach was indeed a flaw in Struts. Secondly, that if it was, the attackers must have "either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time". This comment was prompted by speculation that the flaw exploited by the hackers was the CVE-2017-9805 vulnerability which was publically announced on the 4th of September, over a month after the breach at Equifax was discovered. The statement goes on to outline several software engineering principles that, if followed by anyone utilizing open or closed source software libraries, will "help to prevent breaches such as unfortunately experienced by Equifax".

As shares in Equifax dropped by nearly 14% on Wall Street, the BBC reported that two US Congressional committees will be holding hearings into the data breach, while attorneys general in New York, Illinois, Massachusetts, Connecticut and Pennsylvania are also opening state investigations into the incident.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Actually ... by Mark N

This seems to be Struts 2 not Struts. If so, no, it is NOT widely used. Struts 2 is a totally different framework.

Re: Actually ... by Charles Humble

I've updated the post with the official confirmation from Equifax and Apache, which came in after we first ran the story. I've also clarified the versions of Struts 2 that were impacted by the flaw. Struts 1 was EOL in 2008 so when we wrote this post we thought it was obvious!

I'm not sure of your assertion that Struts 2 wasn't widely used - it very much was (and still is) though these days I guess Spring MVC would be the dominant MVC framework for Java.

Re: Actually ... by Mark N

Well it should be obvious except there are probably apps with Struts. And it has been a problem in recent years (I remember something pretty recent). My point was by the time of Struts 2, Struts was in decline.

Jobs. It is just very seldom seen in postings. I've not touched it in 12+ years at the very least. I only used it at one place.

It is not just about MVC. It is about all the other frameworks to include NIH. There are quite a lot of Java EE only shops and they are using JSF.

Re: Actually ... by Tim Hodkinson

In my experience, there are still a lot of legacy apps out there built around Struts or similar ageing platforms. They should be updated and rewritten with newer, more secure frameworks but enterprises, even highly profitable ones, simply won't invest in their IT infrastructure, or else they think code isn't part of that. The result is that there are lots of old applications left running business critical functions, but the platform they were written on is obsolete, full of security holes and no one in the current organisation has the knowledge or skills to know how it really works, so it's now too risky to update. If anything, I believe this whole episode highlights that issue. I also see containerisation making this issue worse - obsolete legacy apps are now being put into Docker containers so they become the ultimate Black box.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

4 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT