Equifax Confirms: Unpatched Security Vulnerability in Apache Struts 2 Caused Data Breach

Equifax officials confirmed today that the unpatched web application server vulnerability CVE-2017-5638 in Apache Struts 2 caused the massive data breach. An estimated 143 million people were exposed to the identity theft in one of the largest data breaches in history. The credit reporting agency set up equifaxsecurity2017.com to help consumers determine if their information was compromised.

The aftermath

It took Equifax five weeks to disclose the hack after it was discovered in July – company stock has plummeted 30% since the breach was finally announced. The company is not just facing its customers’ wrath, but is also under an FTC investigation. “The FTC typically does not comment on open investigations,” FTC spokesman Peter Kaplan said. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”

Securities and Exchange Commission and the Consumer Financial Protection Bureau are rumored to initiate their own investigations soon.

Zero day

At the time it was discovered, in March 2017, the Apache Struts CVE-2017-5638 vulnerability was zero-day — a term used to describe unpublished bugs exploited by attackers. The Apache Struts team released a patch for the vulnerability on March 6, 2017. It is still unclear if Equifax was aware of the use of Apache Struts in their code at the time of the breach, or if they failed to patch.

Companies running a Software Composition Analysis solution can easily track all third party components in their products. And will be alerted of the vulnerability as soon as it is discovered.

Lax OSS practices

Until recently, enterprises have not feared financial liability resulting from data breaches. The past months have seen a rise in legislation and lawsuits around insufficient security practices around data security, including open source components. “Even during a Merger & Acquisition (M&A) – when a company is expected to provide as much information as possible – most organizations are unable to disclose even a single open source project they depend on.” says Jeff Luszcz, VP of Product Management at Flexera.  “For many companies who have some components on their list, this list is still a small fraction of the true list of dependencies.  Research shows that a company’s true list is typically on average 20 times larger than their current disclosure.”

Your responsibility towards consumer data

Software suppliers that collect sensitive data from their customers have particular responsibility to protect this data. Breaches are very difficult to recover from – in terms of lawsuits, fines and reputation. “All aspects of data security are important” explains Jeff Luszcz – VP of Product Management at Flexera, as he talks about how ignoring open source components makes security software insecure.

It’s time to start taking control of your open source software with an automated open source license compliance and vulnerability risk management solution.