Apache Struts and Equifax – What the Experts Have To Say

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. Unfortunately, unpatched Apache Struts was the point of entry for hackers who stole 145 million records from Equifax, as reported in September of 2017. Although the patch was available, Equifax neglected to apply it. Now a year later, we are learning that this breach was more serious than previously reported and that many global Fortune 100 companies have still not utilized the patch.

On May 8, 2018, ArsTechnica.com reported:

“On May 7, executives of Equifax submitted a “statement for the record” to the Securities and Exchange Commission detailing the extent of the consumer data breach the company first reported on September 7, 2017… Equifax had already reported that the names, Social Security numbers, and dates of birth of 143 million US consumers had been exposed, along with driver’s license numbers “in some instances,” in addition to the credit card numbers of 209,000 individuals. The company’s management had also reported “certain dispute documents” submitted by about 182,000 consumers contesting credit reports had been exposed as well, in addition to some information about British and Canadian consumers… But the exact details of the nature of these documents and information had not been revealed, in part because Equifax felt it did not have a legal obligation to disclose those details.”

According to Sonatype, there were Eight More Struts Breaches:

“When using vulnerable versions of the framework, organizations are breached.  Everyone knows the Equifax story, but for folks like me who have been paying closer attention, the story also includes the Canadian Revenue Agency, Okinawa Power, the Japanese Post, the India Post, AADHAAR, Apple, University of Delaware, and the GMO Payment Gateway.”

Fortune.com disclosed that:

Thousands of Companies Are Still Downloading the Vulnerability That Wrecked Equifax and that the vulnerability remains unaddressed by half of the Global Fortune 100.

Justin Jett, Director of Audit and Compliance for Plixer:

“It is very concerning that a large number of Fortune 100 companies continue to use and deploy flawed versions of Apache Struts, especially since the largest breach to American data was possible because of this unpatched software. Companies using legacy versions of Struts should immediately start the process of updating systems to the latest version. In the interim, while systems are being tested against the current version, companies should verify that data breaches are not taking place with network traffic analytics. By using contextual data from the entire network, companies can verify that malicious actors are not accessing servers on their network that have been identified as vulnerable. Network traffic analytics gives visibility to these vulnerable servers. When data exfiltration or unwanted connections from bad actors are detected, IT professionals can quickly stop the data theft or block the unwanted connections.”

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks

“Seven months should be enough time for organizations to install the necessary patches and it’s unfortunate that so many still choose to download the older vulnerable versions. There is really no excuse for this.

“Equifax vulnerability CVE-2017-5638 allowed unauthenticated remote code execution on Java web applications via the REST plugin with XStream handler to handle XML payloads. This vulnerability was fixed in the Apache Struts version 2.5.13 in September 2017.

“In 2016, known vulnerabilities were the leading cause of data breaches, accounting for 44 percent of all such incidents. I highly recommend that organizations apply critical security patches within one week of their release in order to reduce the known threat attack surface. Otherwise, it’s the same as buying expensive locks for the doors to your home but keeping the windows wide open.”

Ray DeMeo, COO and Co-founder, Virsec:

“Unfortunately, it’s not surprising that there is still widespread use of a vulnerable version of Apache Struts. Even in the best run organizations, patching is much more difficult, time-consuming and problematic that most people want to admit. Most software updates don’t just fix bugs – they also introduce new or changed capabilities that always risk unexpected consequences. And many older applications are limited to older platforms that are un-patchable or no longer supported. We need to move beyond this mindset that patching is a security panacea, and look for ways to protect any application as is.”

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks:

“We’ve unfortunately made cyber breaches a whole lot easier for threat actors. There’s no need for a high-value zero-day vulnerability to breach a network, one only needs to read the NIST database of reported vulnerabilities.

“Eight days into May 2018 and there are already 156 vulnerabilities reported. Most of them will have patches available, but the vast majority of vulnerable systems will remain unpatched long enough for a cyber attacker to take advantage of the window of opportunity. Cyber threat actors understand this behavior and have developed processes for integrating exploit code as quickly as proofs of concepts are posted on Pastebin.com. Sometimes they don’t wait for a PoC and develop their own working attack within hours or days of a vulnerability being disclosed.

“It is criminal in my opinion to knowingly postpone a security update beyond a reasonable amount of time and suffer a breach as a consequence. EternalBlue does not have to be eternal, we have the power to turn it into LegacyBlue by patching our systems.”

Steven Bowcut, CPP, PSP, is the Editor-in-Chief for Brilliance Security Magazine