BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Struts Flaw behind Equifax Breach Disclosed and Patched in March

Struts Flaw behind Equifax Breach Disclosed and Patched in March

Leia em Português

Reports have appeared in the press and online that the hackers who stole the personal details of 143 million Americans from the Equifax credit report company exploited a security flaw in the Apache Struts framework. Struts is an open source MVC framework for creating Java-based Web applications. The Apache Software foundation, who act as custodians of the framework, have released a statement responding to the claims.

Initial media reports suggested that the breach may have been as a result of an undisclosed flaw in Struts, but Equifax  have now admitted that CVE-2017-5638 was the struts vulnerability used in the attack, and, since this article was first published, the Apache Foundation have also confirmed it.  This flaw, which is in the Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1, was disclosed and patched by the Apache Struts team in March.  However  the breach occurred at Equifax in mid May, and remained open until Equifax discovered it at the end of July. During this time attackers had access to the personal data of customers including social security numbers, dates of birth and addresses. 209,000 customers also had their credit card numbers accessed and the personal data of an unknown number of UK and Canadian citizens was also exposed.  

Once almost ubiquitous with Java web application development, the footprint Struts has across the industry remains substantial, especially in the enterprise legacy application space. The Project Management Committee of the Apache Software Foundation has responded to the claims in the media coverage by making several points. First, that it is still unclear whether or not the source of the breach was indeed a flaw in Struts. Secondly, that if it was, the attackers must have "either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time". This comment was prompted by speculation that the flaw exploited by the hackers was the CVE-2017-9805 vulnerability which was publically announced on the 4th of September, over a month after the breach at Equifax was discovered. The statement goes on to outline several software engineering principles that, if followed by anyone utilizing open or closed source software libraries, will "help to prevent breaches such as unfortunately experienced by Equifax".

As shares in Equifax dropped by nearly 14% on Wall Street, the BBC reported that two US Congressional committees will be holding hearings into the data breach, while attorneys general in New York, Illinois, Massachusetts, Connecticut and Pennsylvania are also opening state investigations into the incident.

Rate this Article

Adoption
Style

BT