Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Equifax Breach Potentially Triggered by Apache Struts Vulnerability

    By
    SEAN MICHAEL KERNER
    -
    September 11, 2017
    Share
    Facebook
    Twitter
    Linkedin
      apache struts

      A financial analyst firm with ties to Equifax has reported a potential root cause of the massive breach at the credit reporting and monitoring. A Baird Equity Research report claims Equifax told the company that a vulnerability in the open-source Apache Struts framework was the root cause of the data breach.

      “Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw,” the report stated.

      To date, Equifax has neither publicly confirmed nor denied the claim that a flaw in Apache Struts was the root cause of the massive exploit that leaked data on 143 million Americans that was first publicly disclosed on Sept. 7. The only detail that Equifax has publicly stated about the root cause of the breach is that it was a web application vulnerability. 

      The Apache Software Foundation, which oversees the development of Struts, has responded to the claims that Struts may have been involved in the Equifax security breach. 

      “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework,” René Gielen, vice president of Apache Struts, wrote in a statement. “At this point in time it is not clear which Struts vulnerability would have been utilized, if any.”

      In recent months, multiple vulnerabilities have been patched in the Apache Struts framework. On Sept. 5, the Struts project issued an update for three software vulnerabilities, only one of which was rated as being critical. The critical vulnerability was identified by the Struts project as CVE-2017-9805 and is a possible remote code execution (RCE) attack vulnerability.

      By its own admission, Equifax was breached in mid-May, months before CVE-2017-9805 was publicly disclosed and patched, making it unlikely it was the vulnerability used by attacker.

      A more likely possibility is that attackers made use of a flaw that the Struts project fixed in March identified as CVE-2017-5638, which is also a RCE vulnerability. In the days immediately following the CVE-2017-5638 patch, opportunistic hackers went after unpatched systems. Among the publicly identified organizations that were exploited by the CVE-2017-5638, after the Struts project released an update, was the Canada Revenue Agency.

      Among the challenges some organizations face updating Struts is the fact that it is often embedded as part of larger applications that update on different release cycles. For example, though CVE-2017-5638 was patched by the Apache Struts project on March 6, it wasn’t until April 18 that Oracle patched its software packages that included Struts.

      “We as the Apache Struts PMC want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention,” Gielen stated.

      Gielen and the Apache Struts project also offered some advice on how organizations can help to secure themselves from software vulnerability risks. Gielen recommends that organizations have a process to quickly implement software patches when they become available to help reduce risk. 

      Other recommendations for security best practices include having multiple layers of security technologies in place, as well as monitoring capabilities that can alert for potentially anomalous activity.

      “Any complex software contains flaws,” Gielen stated. “Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.”

      “Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax,” he added.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×