Equifax admits Apache Struts flaw behind megahack -

Equifax admits Apache Struts flaw behind megahack

Credit: itnews.com.au

  • Sep 14 2017 03:19About: 1 month ago
  • 19 views

Credit rating agency Equifax has confirmed that hackers exploited a vulnerability in the Apache Struts 2 web application framework to steal sensitive information on as many as 143 million of its customers.

The company today revealed attackers had exploited the CVE-2017-5638 vulnerability in Apache Struts 2.

Rated as a maximum 10.0 critical vulnerability, CVE-2017-5638 affects Apache Struts 2 2.3.x as well as version 2.5.x. 

It allows remote attackers to easily run arbitrary commands on vulnerable servers, and was exploited in the wild during March this year. The flaw has been fixed in Apache Struts 2 version 2.3.32 and 2.5.10.1.

It confirms suspicisions that an Apache Strust 2 vulnerability was used to attack Equifax, in one of the world's largest data breaches.

The Apache Software Foundation's Struts project management committee last week defended its security posture, but said there was little it could do if attackers discovered a zero-day vulnerability or reverse-engineered patches.

The committee warned that any complex software contains flaws.

"Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities," the Struts PMC said.

Equifax is currently trying to contain the fallout from the hack, and is offering free identity theft protection for people who are affected by the massive data leak.

The credit rating agency has also enabled a security freeze feature for access to people's information, but was criticised for creating a PIN that was simply a time and date stamp and easily guessable.

Equifax was forced to change the PIN generation method and now issues randomly generated numbers.



Follow Us on Twitter

Related stories with Equifax admits Apache Struts flaw behind megahack

Nearly 40 States are Probing Equifax’s Data Breach -World News
Nearly 40 States are Probing Equifax’s Data Breach 1 month ago
Equifax's shares have fallen more than 30% amid revelations of investigations into the data breach.
Equifax Data Breach: How to Protect Yourself With Chatbot Tech -World News
Equifax Data Breach: How to Protect Yourself With Chatbot Tech 1 month ago
The DoNotPay parking ticket-fighting bot is back, helping victims file free, small claims lawsuits.
Equifax hack likely affected only Canadians with dealings in U.S. -World News
Equifax hack likely affected only Canadians with dealings in U.S. 1 month ago
TORONTO — Equifax Canada’s customer service agents are telling callers that only Canadians who have had dealings in the United States are likely to be affected by the massive hack announced last week. The credit monitoring company’s call
Equifax Website Secured By The Worst Username And Password Possible -World News
Equifax Website Secured By The Worst Username And Password Possible 1 month ago
How do you secure sensitive data that's stored in a web-based app? Not with a username and password like admin/admin, that's for sure.
Still confused after the Equifax breach? Here’s what you need to know -World News
Still confused after the Equifax breach? Here’s what you need to know 1 month ago
Since Equifax revealed the massive data breach, few things have gone smoothly
Tech leaders differ over Amazon’s future in Seattle and the logic behind ‘HQ2’ -World News
Tech leaders differ over Amazon’s future in Seattle and the logic behind ‘HQ2’ 1 month ago
It seems everyone has an opinion on Amazon’s splashy announcement that it plans to build a second North American headquarters, and that includes Seattle’s tech leaders. During a panel about venture capital at the Cascadia Innovation Corridor c
Tech leaders differ over Amazon’s future in Seattle and the logic behind ‘HQ2’ -World News
Tech leaders differ over Amazon’s future in Seattle and the logic behind ‘HQ2’ 1 month ago
It seems everyone has an opinion on Amazon’s splashy announcement that it plans to build a second North American headquarters, and that includes Seattle’s tech leaders. During a panel about venture capital at the Cascadia Innovation Corridor c
Man Behind #PooGate Tinder Date Tells 'This Morning' He's Planning Date Number Two -World News
Man Behind #PooGate Tinder Date Tells 'This Morning' He's Planning Date Number Two 1 month ago
'I think I owe her a nice drink after all of this.'
Sarah Hyland Explains the Meaning Behind Her New Ribcage Tattoo -World News
Sarah Hyland Explains the Meaning Behind Her New Ribcage Tattoo 1 month ago
She's been through a hell of a year.
Equifax Hack: 4 Ways to Protect Yourself Now -World News
Equifax Hack: 4 Ways to Protect Yourself Now 1 month ago
The Equifax hack put 143 million credit records at risk. Here's what you can do.