Equifax Ignored Apache Struts Patch For Months
In the aftermath of the second massive security breach at Equifax Inc. in four years, the Apache Foundation confirmed this week the data breach stemmed from the consumer credit reporting agency's failure to install patches to Apache Struts, an open source framework used to build Java web applications.
In a statement released Thursday (Sept. 14), the foundation said a vulnerability in Apache Struts, an open source framework for creating "enterprise-grade" Java web applications, was announced and patched on March 7, 2017. Six months later, Atlanta-based Equifax announced a data breach affecting an estimated 143 million consumers.
"The Equifax data compromise was due to their failure to install the security updates provided in a timely manner," the Apache Foundation statement concluded.
The initial report in March of the Struts vulnerability, designated CVE-2017-5638, was addressed to "all Struts 2 developers and users." They were warned in March of "possible [remote code execution] when performing file upload…." Remote code execution exploits frequently associated with Struts allow attackers to take over a server via malicious code.
The patch involved either an upgraded version of Strut or using a different implementation of the compromised uploading tool.
Earlier this week, Equifax confirmed that its servers had been hit by the Apache Struts vulnerability. "We know that criminals exploited a U.S. web site application vulnerability," the company confirmed on Wednesday (Sept. 13) "The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."
Equifax (NYSE: EFX), which has drawn the ire of consumers, security experts and lawmakers for allowing among of the largest consumer security breaches in history, offered no explanation as to why it did not patch the vulnerability that had been available for six months.
The early September breach is the second suffered by the credit-reporting firm since 2013. The second major Equifax data breach in four years "is a clear indication that corporate America still does not have proper information technology asset management techniques" in place, asserted Barbara Rembiesa, CEO of the International Association of IT Asset Managers.
Cyber security vendors also were quick to note that large enterprises such as Equifax often fall short in managing security patches. "More often than not, we are seeing breaches as a result of an organization's failure to implement security 101 principles, proper patch management, secure software development, processes and procedures," asserted Leigh-Anne Galloway, a cyber-security executive with Positive Technologies, an enterprise security specialist. "It’s the basic things that organizations fail to do, again and again."
Apache Struts is widely used for front- and back-end web applications and in Internet of Things devices. The Apache Foundation said it is currently deployed among "the world's most visible financial institutions, government organizations, technology service providers, telecommunications agencies, and Fortune 100 companies."