Equifax recently became headline news for all the wrong reasons when it revealed it had been the victim of a data breach that exposed the sensitive financial history and personal data of more than 140 million people. Equifax also shared that the attackers were able to gain access by exploiting a well-known vulnerability in its web application. Black Duck wants to help other companies avoid falling victim to the same scenario, so it has released a new free tool.
The flaw attackers were able to exploit with Equifax is one of the vulnerabilities in Apache Struts, a widelyused open-source web application framework. The specific flaw leveraged in the Equifax breach was CVE-2017-5638, which was originally disclosed in March of this year. There have been other major flaws in Apache Struts discovered since then.
Updates to Apache Struts have been released to address these flaws; however, patching is perhaps easier said than done. Because Apache Struts is a web application framework and not a specific tool or application, there may be elements of it woven throughout the network in various snippets of code. In many cases, Apache Struts is used with mission-critical applications as well, which makes updating or patching a more challenging task.
Although it might be more difficult to find the vulnerable apps or a bigger burden to update critical apps, it still needs to be updated and patched. If you don’t, you may find yourself in the headlines like Equifax.
Black Duck is in the business of helping customers secure and manage open-source software, particularly in dynamic DevOps and container environments. It recently launched Threat Check for Struts, a free tool to enable organizations to determine if they are at risk from Apache Struts vulnerabilities, including the CVE-2017-5638 flaw that took down Equifax.
“The Equifax breach never should have happened,” said Black Duck CEO Lou Shipley. “Equifax has acknowledged that. Even though a patch for the exploited Apache Struts vulnerability had been for two months available when the breach occurred, it hadn’t been applied. Unfortunately, this is something we see time and again: a known, fixable open-source vulnerability not being remediated.”
Black Duck wants to help ensure that same mistake isn’t made by other companies. Apache Struts is widely used by many—if not most—Fortune 500 companies to build and deploy web applications spanning industries such as financial services, health care, education, retail and media.
With the rise of DevOps and containers, organizations rely increasingly on open-source tools and platforms. Black Duck estimates that as much as 80 percent to 90 percent of the code in modern applications is derived in some way from open-source code, yet most companies lack visibility into what open-source code is running on their networks and where. A free tool such as Threat Check for Struts that can help automate discovery of vulnerable open-source code is invaluable.