Photo by: Vimeo
Apache Struts CVE-2017-5638 was the vulnerability that was patched two months ago but which still allowed the Equifax data breach that Equifax states happened in May, according to a statement released by Equifax on Thursday.
The credit reporting agency said last week that 143 million of its US. based consumers’ information was breached. According to Equifax officials via online post, "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement." They also stated, "Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted."
The Apache Struts framework fix occurred on March 6 and it is said that the bug attacked three days later. The hackers took advantage of the flaw to install rogue apps on Web servers. However, Equifax maintains the breach did not happen until the middle of May.
In light of last week's disclosure, it seems that Equifax had not updated its Web application even after they knew they (and their millions of consumers) were extremely vulnerable to a security breach. Ars, an IT solutions based company dealing with security among other things told Equifax when the hole in security was first found that patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Equifax has not responded or commented about this.
Websites use apps that are scattered over dozens of different servers and these need to be rebuilt and then rigorously tested to make sure they won’t break other website functions once implemented back into production.
Baird Equity Research reported that it had no evidence Equifax was breached through the Apache security hole, and the Apache Software Foundation put out a statement that said they did not know whether or not the Apache Struts vulnerability was the route for the breach either.
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture.
Annualcreditreport.com and Experian also use the Apache Struts application, along with many Fortune 500 companies, government agencies, and several other high-level businesses.