You would think it hard to believe, but the vulnerable version of the popular open source framework that cost 147.9 Americans their personally identifiable information (PII) in the Equifax breach last fall, is still going unrepaired by most companies using the vulnerable versions of Struts. Despite the Apache Foundation issuing fixes as early as March of 2017, and six times subsequently throughout the past year, companies are in no rush to patch the vulnerability, including Fortune 100 enterprises and companies in the finance, banking and insurance spaces notorious for holding the most sensitive of data and the type that hackers are most eager to get to.
A recent WhiteSource survey shows that only 54 percent of developers will remediate a vulnerability immediately once detected in their system, suggesting that nearly half of those that detect vulnerabilities remain slow to take action in the race against hackers. One year post Equifax, many of those affected by the Struts 2 vulnerability left it unfixed allowing themselves to be exposed to exploitation attempts. Hackers, for their part, have not ceased attempting to exploit the Struts 2 vulnerability and still aim to capitalize on the many companies who have yet to remediate.
Knowing What’s In Your Code is Still Not a Given
The Apache Foundation published the Struts 2 vulnerability under the identification CVE-2017-5638 in March 2017. At that time, companies like Equifax should have checked for the presence of the vulnerability in their codebase. Only that in order to check for the vulnerable version, Equifax and tens of thousands of other companies using the Struts 2 framework would have needed to know that they were using that component. They would have needed to know of its existence in their product.
The problem (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Anat Richter. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/equifax-breach-year-in-review-vulnerabilities-in-apache-struts-still-going-strong