Thursday September 14, 2017

MEDIA ALERT: The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache® Struts™ Exploit

Who: Apache® Struts™ is a popular Open Source framework for creating enterprise-grade Java Web applications. Apache Struts powers front- and back-end applications and Internet of Things (IoT) devices for many of the world's most visible financial institutions, government organizations, technology service providers, telecommunications agencies, and Fortune 100 companies.





Apache Struts is an Apache Software Foundation Top-Level Project (since 2004) and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases.





What: On 7 September 2017, credit reporting agency Equifax announced a data breach affecting 143 million consumers. On 7 September 2017, credit reporting agency Equifax announced a data breach affecting 143 million consumers. https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628





Following this announcement, additional claims stated that the breach was caused by CVE-2017-9805, an exploit in Apache Struts that was disclosed on 4 September 2017. https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/





On 9 September 2017, the Apache Struts PMC issued a statement on the Equifax data breach that included details on its response process to reported vulnerabilities and also provided recommended security guidelines. https://s.apache.org/8thB





On 13 September 2017, Equifax issued a statement confirming that "The vulnerability was Apache Struts CVE-2017-5638". https://www.equifaxsecurity2017.com/





This vulnerability was patched on 7 March 2017, the same day it was announced. https://cwiki.apache.org/confluence/display/WW/S2-045





In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.





When: Apache Struts CVE-2017-5638 was originally reported on 7 March 2017.





Where: For downloads, documentation (including security guide and bulletins), and how to become involved with Apache Struts, visit For downloads, documentation (including security guide and bulletins), and how to become involved with Apache Struts, visit http://struts.apache.org/ and https://twitter.com/TheApacheStruts





About The Apache Software Foundation (ASF)

Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 650 individual Members and 6,200 Committers across six continents successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, Inspur, iSigma, LeaseWeb, Microsoft, ODPi, PhoenixNAP, Pivotal, Private Internet Access, Red Hat, Serenata Flowers, Target, WANdisco, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF





Media contact:

Sally Khudairi

Vice President

The Apache Software Foundation

Tel/WhatsApp +1 617 921 8656

press(at)apache(dot)org





# # #





© The Apache Software Foundation. "Apache", "Struts", "Apache Struts", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

Posted at 11:00AM Sep 14, 2017 by Sally in General | |