Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Download as PPTX, PDF1 like610 views
The document discusses the significant Equifax data breach, which exposed the sensitive information of over 140 million consumers due to an unpatched vulnerability in Apache Struts (CVE-2017-5638). It highlights the importance of patching open source software, the potential risks associated with using Apache Struts, and provides recommendations for consumers to check if they were affected. Additionally, it emphasizes the need for vigilance against identity theft and offers resources for protection.
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
- 1. Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability By Fred Bals | Senior Content Writer/Editor
- 2. Cybersecurity News This Week It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been affected by the breach, and discuss whether you should replace Struts with another framework. Also recommended reading are the following articles from the Black Duck blog, which you should subscribe to for the latest open source security news. Black Duck was blogging on CVE-2017-5638 and what you could do to protect yourself against the vulnerability from its initial disclosure in March.
- 3. • Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop • Why the Equifax Breach Should Never Have Happened • Did Lack of Visibility into Apache Struts Lead to the Equifax Breach? • Unpatched Open Source Software Flaw Blamed for Massive Equifax Breach Open Source News
- 4. More Open Source News • Should You Replace Apache Struts? Maybe. Or, Maybe Not. • Failure to Patch Two-month-old Bug Led to Massive Equifax Breach • See if You Were Affected by the Equifax Cybersecurity Incident • (Webinar) Behind the Equifax Breach: A Deep Dive Into Apache Struts CVE-2017- 5638
- 5. via the Black Duck Blog: • Critical Vulnerability CVE-2017-5638 Attacks Escalating • CVE-2017-5638: Anatomy of the Apache Struts Vulnerability • Pandora’s Box – Exploits Show Package Manager Blind Spots • "Easy" to Hack Apache Struts Vulnerability CVE-2017-9805 Apache Struts Vulnerability Information
- 6. Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop via Krebs on Security: Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time — when hackers accessed the company’s systems in mid-May 2017.
- 7. via TechBeacon: Mike Pittenger, VP of security strategy at Black Duck Software, looks at the causes of the Equifax breach and what your team can do to prevent something similar happening to your organization. Why the Equifax Breach Should Never Have Happened
- 8. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach? via Black Duck blog (Patrick Carey): The Apache Struts Project Management Committee released a statement regarding the Equifax breach that includes excellent suggestions for securing any open or closed source supporting libraries in software products and services, which I'll share verbatim.
- 9. via eSecurity Planet: It's no surprise that Web application attacks are the leading cause of large breaches. The *average* Web application or API has 26.7 serious vulnerabilities. And organizations often have hundreds, thousands, or even tens of thousands of applications. Unpatched Open Source Software Flaw Blamed for Massive Equifax Breach
- 10. Should You Replace Apache Struts? Maybe. Or, Maybe Not. via Black Duck blog (Tim Mackey): The easy answer to the question is “it depends.” It’s been one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it's reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution disclosures this year, and that’s quite a lot.
- 11. via Ars Technica: As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don't break key functions on the site. Failure to Patch Two-month-old Bug Led to Massive Equifax Breach
- 12. See if You Were Affected by the Equifax Cybersecurity Incident via Equifax: To determine if your personal information may have been impacted and for steps to protect your information, please visit https://www.equifaxsecurity2017.com/. We recommend that consumers be vigilant in reviewing their account statements and credit reports, and that they immediately report any unauthorized activity to their financial institutions. We also recommend that they monitor their personal information and visit the Federal Trade Commission’s website, www.ftc.gov/idtheft, to obtain information about steps they can take to better protect against identity theft as well as information about fraud alerts and security freezes.
- 13. via New York Times: On Tuesday, the company said it would waive all fees until Nov. 21 for people who want to freeze their Equifax credit files. It will also refund any fees that anyone has paid since Thursday, though the company would not say whether this would be automatic. Equifax, Bowing to Public Pressure, Drops Credit-Freeze Fees
- 14. (Webinar) Behind the Equifax Breach: A Deep Dive Into Apache Struts CVE-2017-5638 Equifax confirmed that their high profile, high impact data breach was due to an exploit of a vulnerability in an open source component, Apache Struts CVE-2017-5638. Apache Struts is a mainstream web framework, widely used by Fortune 100 companies in education, government, financial services, retail and media. Black Duck open source security experts share their analysis of what happened at Equifax and provide you with guidance to help your company avoid being the next front page news story. Join the webinar October 5 at 11 AM EST. (Watch on demand after 10/5/17)
- 15. Subscribe Stay up to date on open source security and cybersecurity – subscribe to our blog today.