It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been affected by the breach, and discuss whether you should replace Struts with another framework.

1. Open Source Insight:
Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
By Fred Bals | Senior Content Writer/Editor

2. Cybersecurity News This Week
It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open
Source Insight this week as we examine how an unpatched open source
flaw and an apparent lack of diligence exposed sensitive data for over
140 million US consumers. We look at what happened, how you can see
if you’ve been affected by the breach, and discuss whether you should
replace Struts with another framework.
Also recommended reading are the following articles from the Black Duck
blog, which you should subscribe to for the latest open source security
news. Black Duck was blogging on CVE-2017-5638 and what you could
do to protect yourself against the vulnerability from its initial disclosure in
March.

3. • Equifax Hackers Stole 200k Credit Card
Accounts in One Fell Swoop
• Why the Equifax Breach Should Never Have
Happened
• Did Lack of Visibility into Apache Struts Lead
to the Equifax Breach?
• Unpatched Open Source Software Flaw
Blamed for Massive Equifax Breach
Open Source News

4. More Open Source News
• Should You Replace Apache Struts?
Maybe. Or, Maybe Not.
• Failure to Patch Two-month-old Bug Led
to Massive Equifax Breach
• See if You Were Affected by the Equifax
Cybersecurity Incident
• (Webinar) Behind the Equifax Breach: A
Deep Dive Into Apache Struts CVE-2017-
5638

5. via the Black Duck Blog:
• Critical Vulnerability CVE-2017-5638 Attacks
Escalating
• CVE-2017-5638: Anatomy of the Apache Struts
Vulnerability
• Pandora’s Box – Exploits Show Package
Manager Blind Spots
• "Easy" to Hack Apache Struts Vulnerability
CVE-2017-9805
Apache Struts Vulnerability Information

6. Equifax Hackers Stole 200k Credit Card
Accounts in One Fell Swoop
via Krebs on Security: Visa and MasterCard are sending
confidential alerts to financial institutions across the United
States this week, warning them about more than 200,000
credit cards that were stolen in the epic data breach
announced last week at big-three credit bureau Equifax. At first
glance, the private notices obtained by KrebsOnSecurity
appear to suggest that hackers initially breached Equifax
starting in November 2016. But Equifax says the accounts
were all stolen at the same time — when hackers accessed
the company’s systems in mid-May 2017.

7. via TechBeacon: Mike Pittenger, VP of security
strategy at Black Duck Software, looks at the
causes of the Equifax breach and what your
team can do to prevent something similar
happening to your organization.
Why the Equifax Breach Should Never
Have Happened

8. Did Lack of Visibility into Apache Struts
Lead to the Equifax Breach?
via Black Duck blog (Patrick Carey): The Apache Struts Project
Management Committee released a statement regarding the Equifax
breach that includes excellent suggestions for securing any open or
closed source supporting libraries in software products and services,
which I'll share verbatim.

9. via eSecurity Planet: It's no surprise that Web
application attacks are the leading cause of
large breaches. The *average* Web application
or API has 26.7 serious vulnerabilities. And
organizations often have hundreds, thousands,
or even tens of thousands of applications.
Unpatched Open Source Software Flaw
Blamed for Massive Equifax Breach

10. Should You Replace Apache Struts?
Maybe. Or, Maybe Not.
via Black Duck blog (Tim Mackey): The easy answer to the
question is “it depends.” It’s been one hell of a year for Apache
Struts. With the latest round of security disclosures comingled with
the Equifax data breach, it's reasonable for users of Struts to start
questioning if they should be migrating to another framework. After
all, there have been five possible remote code execution
disclosures this year, and that’s quite a lot.

11. via Ars Technica: As Ars warned in March, patching the
security hole was labor intensive and difficult, in part
because it involved downloading an updated version of
Struts and then using it to rebuild all apps that used
older, buggy Struts versions. Some websites may
depend on dozens or even hundreds of such apps,
which may be scattered across dozens of servers on
multiple continents. Once rebuilt, the apps must be
extensively tested before going into production to ensure
they don't break key functions on the site.
Failure to Patch Two-month-old Bug Led to Massive
Equifax Breach

12. See if You Were Affected by the Equifax
Cybersecurity Incident
via Equifax: To determine if your personal information may have
been impacted and for steps to protect your information, please
visit https://www.equifaxsecurity2017.com/. We recommend that
consumers be vigilant in reviewing their account statements and
credit reports, and that they immediately report any unauthorized
activity to their financial institutions. We also recommend that they
monitor their personal information and visit the Federal Trade
Commission’s website, www.ftc.gov/idtheft, to obtain information
about steps they can take to better protect against identity theft as
well as information about fraud alerts and security freezes.

13. via New York Times: On Tuesday, the
company said it would waive all fees until Nov.
21 for people who want to freeze their Equifax
credit files. It will also refund any fees that
anyone has paid since Thursday, though the
company would not say whether this would be
automatic.
Equifax, Bowing to Public Pressure,
Drops Credit-Freeze Fees

14. (Webinar) Behind the Equifax Breach: A Deep
Dive Into Apache Struts CVE-2017-5638
Equifax confirmed that their high profile, high impact data breach was
due to an exploit of a vulnerability in an open source component,
Apache Struts CVE-2017-5638. Apache Struts is a mainstream web
framework, widely used by Fortune 100 companies in education,
government, financial services, retail and media. Black Duck open
source security experts share their analysis of what happened at
Equifax and provide you with guidance to help your company avoid
being the next front page news story. Join the webinar October 5 at
11 AM EST.
(Watch on demand after 10/5/17)

15. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.