lolloj - Fotolia

News

Apache Struts vulnerability blamed for Equifax data breach

Equifax has confirmed an unpatched critical Apache Struts vulnerability was exploited in the breach that compromised the personal data of 143 million U.S. citizens.

Michael Heller, Senior Reporter

Published: 15 Sep 2017

Speculation about the cause of the Equifax breach has been proven true, as the company has confirmed an unpatched critical Apache Struts vulnerability was used by attackers to steal data.

Late on Sept. 13, 2017, Equifax updated its breach information page to say its investigation into the incident revealed the attackers exploited a web app vulnerability and identified that vulnerability as Apache Struts CVE-2017-5638.

This Apache Struts vulnerability was disclosed and patched in March 2017, and it was given the highest critical rating on the CVSS, because it is a remote code execution flaw that was being exploited in the wild at that time.

Equifax has not released any more details beyond what is on its breach page, but the company had previously said the intrusion into its systems began in mid-May, implying the Apache Struts vulnerability was left unpatched for at least two months.

Equifax has not responded to requests for comment at the time of this post.

Why patch management matters

Leigh-Anne Galloway, cybersecurity resilience officer at Positive Technologies, an enterprise security company based in Framingham, Mass., said it is fairly common to see companies failing at the basic things like "proper patch management, secure software development, processes and procedures."

"In this case, the vulnerability allowed attackers to execute arbitrary code on a server by manipulating the Content-Type HTTP header. Given how often flaws of this nature are discovered, it's therefore not a huge surprise that an exploit of a vulnerability was the entry point for the Equifax breach," Galloway told SearchSecurity. "The cause, though, was a failure on Equifax's part to patch the issue when a fix became available. The Equifax breach is an example of where some simple measures, like a web application firewall and patch management, could have prevented a breach of unprecedented scale from occurring."

This is not some crazy movie-plot attack scenario. Everyone knows that library vulnerabilities are disclosed many times a year.

Jeff Williamsco-founder and CTO at Contrast Security

Jeff Williams, co-founder and CTO at Contrast Security, an application security company based in Los Altos, Calif., called it "outrageous that companies haven't deployed the technology they need to protect applications from vulnerabilities during development and from attacks in operations."

"This is not some crazy movie-plot attack scenario. Everyone knows that library vulnerabilities are disclosed many times a year," Williams told SearchSecurity. "Companies that have been relying on legacy application security tools from the early 2000s to protect their enterprise have a very false sense of their security. Those tools are simply too slow, inaccurate and manual-intensive to provide protection for modern applications and modern threats."

Jonathan Cran, vice president of product for Bugcrowd, based in San Francisco, said it is important to note that "every vulnerability is unique and depends on the nature of the flaw and the environment in which it exists."

"In most cases, [the Apache Struts vulnerability] would have been discoverable via automated scans, given that the attack vector was an HTTP header. That said, there are certainly cases where automated scans wouldn't have found it, such as when the Struts component of an application was behind authentication," Cran told SearchSecurity. "Given the ease with which this vulnerability can be discovered, a public disclosure program would have very likely surfaced the issue to Equifax, and would do the same for other companies.

Michael Patterson, CEO of Plixer International Inc., a network traffic analysis company based in Kennebunk, Maine, said it was "completely understandable" that a single Apache Struts vulnerability like this could lead to such a large data breach.

"All it takes is a pinhole and you have a leak that causes major damage," Patterson told SearchSecurity. "Sometimes, code bases don't easily migrate to a new version of Apache. Patches can introduce bugs, which take time to fix. The issues can be cascading."

Next Steps

Learn why the Apache Struts vulnerability is still exploited

Find out why enterprises should consider automated patching

Learn how a web application firewall can help stop attacks

Dig Deeper on Web server threats and application attacks

Equifax to pay up to $700 million in data breach settlement Under the settlement with the FTC and state attorneys general, Equifax will fork over at least $575 million in civil penalties and provide credit monitoring services to consumers.

Equifax defends against scathing Senate report Equifax chief says firm did take cyber security seriously in a response to a scathing Senate report on the credit rating agency’s 2017 data breach, which experts say highlights failings around open source software

Risk & Repeat: Lessons from the Equifax breach report This week's Risk & Repeat podcast looks at the U.S. House Committee on Oversight and Government Reform report on the Equifax breach and the infosec lessons to be learned from it.

Equifax breach report highlights multiple security failures An Equifax breach report, based on a government investigation, blamed the incident on multiple security failures and concluded the breach was preventable.

New Mirai variant attacks Apache Struts vulnerability New variants of the Gafgyt and Mirai botnets are targeting unpatched enterprise devices, which indicates a greater shift away from consumer devices, according to researchers.

Risk & Repeat: Inside the GAO's Equifax breach report In this week's Risk & Repeat podcast, SearchSecurity editors discuss the Government Accountability Office's report on the Equifax breach and the questions it raises.

Michael Heller asks:

What was involved in patching the Apache Struts vulnerability that took down Equifax?

Join the Discussion

Join the conversation

5 comments

Send me notifications when other members comment.

Oldest

[-]

Michael Heller - 15 Sep 2017 9:53 AM

What was involved in patching the Apache Struts vulnerability that took down Equifax?

jbenskin - 16 Sep 2017 7:35 PM

Arbitrary code on a server was manipulating the Content-Type HTTP header due to not updating the Apache Struts through a Patch Maintenance

bl4dS3c - 16 Sep 2017 4:05 PM

Test your web application with JexBoss tool!

plasticman3 - 20 Sep 2017 1:44 PM

It is appalling, that a company of this nature didn't have a properly trained Security person (CSO), from what we hear. Shame on EQUIFAX and I do hope the General population do NOT let this go. Transunion, Equifax and all other Credit Reporting Bureaus, that have most of OUR personal information, should be held at a much higher standard. TIME TO HOLD THESE companies responsible and make sure the penalties are SEVERE FOR THIS TYPE OF VIOLATION. You had a security vulnerability identified by Apache and it took you 2 months to incorporate this. SHAME ON YOU. CSO should be removed from their position. IMHO

arclight311 - 29 Sep 2017 7:58 AM

He was - along with the CEO... shameful.

Apache Struts vulnerability blamed for Equifax data breach