Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday September 12 2017, @06:26AM   Printer-friendly
from the oops dept.

Submitted via IRC for SoyCow1937

A vulnerability affecting the Apache Struts 2 open-source development framework was reportedly used to breach U.S. credit reporting agency Equifax and gain access to customer data.

Equifax revealed last week that hackers had access to its systems between mid-May and late July. The incident affects roughly 143 million U.S. consumers, along with some individuals in the U.K. and Canada.

The compromised information includes names, social security numbers, dates of birth, addresses and, in some cases, driver's license numbers. The credit card numbers of roughly 209,000 consumers in the United States and dispute documents belonging to 182,000 people may have also been stolen by the attackers.

Equifax only said that "criminals exploited a U.S. website application vulnerability to gain access to certain files." However, financial services firm Baird claimed the targeted software was Apache Struts, a framework used by many top organizations to create web applications.

"Our understanding is that data entered (and retained) through consumer portals/interactions (consumers inquiring about their credit reports, disputes, etc.) and data around it was breached via the Apache Struts flaw," Baird said in a report.

Some jumped to conclude that it was the recently patched and disclosed CVE-2017-9805, a remote code execution vulnerability that exists when the REST plugin is used with the XStream handler for XML payloads. This flaw was reported to Apache Struts developers in mid-July and it was addressed on September 5 with the release of Struts 2.5.13.

The security hole is now being exploited in the wild, but there had been no evidence of exploitation before the patch was released.

Source: http://www.securityweek.com/apache-struts-flaw-reportedly-exploited-equifax-hack


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Interesting) by Arik on Tuesday September 12 2017, @06:47AM (4 children)

    by Arik (4543) on Tuesday September 12 2017, @06:47AM (#566568) Journal
    "However, financial services firm Baird claimed the targeted software was Apache Struts, a framework used by many top organizations to create web applications."

    Yes, they use it to make 'webapps' - those insidious assaults on the web itself and all it stands for.

    I looked it up.

    https://struts.apache.org/

    "Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON."

    So they deserved everything they got, and much more. The only victims are the individuals whose data was exposed, and I very much hope they sue this company into bankruptcy court and dissolution, far too kind a fate for such scum.

    --
    If laughter is the best medicine, who are the best doctors?
    • (Score: 2) by Wootery on Tuesday September 12 2017, @10:40AM (3 children)

      by Wootery (2341) on Tuesday September 12 2017, @10:40AM (#566669)

      I'm not seeing a compelling argument against MVC web-app frameworks.

      • (Score: 1) by Arik on Tuesday September 12 2017, @11:11AM (1 child)

        by Arik (4543) on Tuesday September 12 2017, @11:11AM (#566676) Journal
        Do you see any compelling arguments against proprietary blobware?
        --
        If laughter is the best medicine, who are the best doctors?
        • (Score: 2) by Wootery on Tuesday September 12 2017, @11:54AM

          by Wootery (2341) on Tuesday September 12 2017, @11:54AM (#566692)

          What? Struts is Free and Open Source, you just said so yourself.

          As for 'blobware' - it's a large complex codebase, sure, but we're talking about large complex software systems. I don't see that security is necessarily improved by having Equifax write more code and Apache write less.

          Modern operating systems are also large, complex, and imperfect. Should web developers write to bare metal?

      • (Score: 0) by Anonymous Coward on Wednesday September 13 2017, @02:05AM

        by Anonymous Coward on Wednesday September 13 2017, @02:05AM (#567050)

        java is kind of squared and boring

  • (Score: 4, Informative) by canopic jug on Tuesday September 12 2017, @08:03AM

    by canopic jug (3949) Subscriber Badge on Tuesday September 12 2017, @08:03AM (#566603) Journal

    In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source.

    http://www.zdnet.com/article/equifax-blames-open-source-software-for-its-record-breaking-security-breach/ [zdnet.com]

    Like with any rumor, it is important to follow them upstream to find the source. In this case it seems to lead to a non-technical staff member, probably a microsofter with an axe to grind. It's a big red flag about the current state of journalism that no one has called out Equifax on their cluelessness and that coverage of this mess has only come from the tech sector's news. It's not acceptable for executives in any branch not to know how the Internet works or how to safely manage online information [privateinternetaccess.com].

    --
    Money is not free speech. Elections should not be auctions.
  • (Score: 5, Funny) by kazzie on Tuesday September 12 2017, @08:13AM

    by kazzie (5309) Subscriber Badge on Tuesday September 12 2017, @08:13AM (#566607)

    I had a mental image of a Native American parading up and down with an exploit in his hand...

  • (Score: 4, Interesting) by goodie on Tuesday September 12 2017, @02:21PM

    by goodie (1877) on Tuesday September 12 2017, @02:21PM (#566739) Journal

    was "wow, people still actively use Struts?". Not that I don't think it is a good framework. In principle it works well, but my experience with it was rather debilitating after a while. the idea that you can create navigation rules and bind your view to a model is quite interesting, but it is rather rigid and, back when we used it, still had some cross-browser compatibility issues. In any case, it's interesting to hear that name. We used it back in 2006 or so and we let it go after a bit to move to jsf, which we then dropped as well. Both projects are interesting, but not great for enterprise-grade applications in our experience. You will need to work around the framework a lot to enable certain things if your "webapp" is not static, page by page.

    That brought me back though :D

(1)