The recently announced data breach at Equifax that exposed the Social Security numbers and other personal information of nearly half of the U.S. population was the result of the company failing to install a security patch for Apache Struts in a timely manner.
Equifax, one of the three credit monitoring bureaus in the United States, announced the breach on Sept. 7. At the time, the company said that attackers broke in through a “website application vulnerability” in mid-May and remained undetected until July 29.
On Wednesday, the company posted an update on its website to clarify that “the vulnerability was Apache Struts CVE-2017-5638.” This is a remote code execution vulnerability in the Apache Struts component called the Jakarta Multipart parser that was patched on March 7 with the release of Struts 2.3.32 and Struts 18.104.22.168.
The failure to deploy a critical security patch for over two months — since March 7 to mid-May — reflects badly on Equifax’s security practices.
Apache Struts is a development framework for Java-based web applications that is particularly popular in enterprise environments.
During the days that followed the initial breach announcement, there were unsubstantiated claims that the exploited vulnerability had been in Apache Struts. Those claims traced back to a report released by the equity research arm of financial services firm Baird.
“Our understanding is data retained by EFX [Equifax] primarily generated through consumer interactions was breached via the Apache Struts flaw (i.e., core databases not believed to have been breached),” the Baird analysts said in the report, without specifying the source of this information.
This created a bit of confusion because the Apache Struts developers had just released a patch for another critical remote code execution vulnerability several days before the Equifax breach announcement. That vulnerability was located in the framework’s REST plugin and was identified as CVE-2017-9805.
The Apache Struts Project Management Committee (PMC) released a public statement on Saturday to address the reports claiming that a Struts vulnerability — possibly CVE-2017-9805 — might have led to the Equifax breach. The Committee took the opportunity to explain the project’s development practices and security response procedures.
Following the confirmation Wednesday from Equifax that attackers actually exploited an older vulnerability, the Apache Software Foundation issued a new statement that reads: “This vulnerability was patched on 7 March 2017, the same day it was announced. In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.”
The failure to deploy a critical security patch for over two months — since March 7 to mid-May — reflects badly on Equifax’s security practices. And it’s even worse because the patch for CVE-2017-5638 was followed in March by widespread attacks that exploited the flaw to install ransomware and other malicious programs on servers. Those attacks were reported in the media and security firms issued alerts about them.
The Apache Struts PMC provided the following recommendations for Struts users in order to keep their web applications and servers secure:
- Understand which supporting frameworks and libraries are used in your software products and which versions. Keep track of security announcements affecting those products and versions.
- Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.
- Any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
- Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
- Establish monitoring for unusual access patterns to your public web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical web-based services.
It’s also worth noting that an exploit is already available for the REST plugin vulnerability patched earlier this month and security researchers have already observed attacks taking advantage of it. If you haven’t updated your Struts deployments by now, do so as soon as possible.
Feature image via Pixabay.