Equifax, one of the 3 major credit bureaus in the US, announced last week that they were targets of a data breach that potentially involved private information of 143 million consumers. Hackers might also have accessed birth dates, addresses and driver’s license numbers, as well as 209,000 credit card numbers during the massive breach, the company reported.
The attack was linked back to flaws in the Apache Struts 2 open source web application framework. It is suspected that the breach is related to CVE-2017-5638. Struts 2 has been used as an attack vector since March, or even longer. Apache has put out several patches for the package since then. It is unclear if Equifax was aware of the Struts component in their code or if the company had patched its systems in response to detected vulnerabilities.
Is Apache Struts 2 in Your Code?
Open source components like Apache Struts are widely adopted, which makes them a popular target for hackers. Companies that are not aware of the components they are using or don’t track vulnerabilities accordingly put their customer data at risk. Today, the majority of companies using open source software do not have sufficient policies and controls in place to manage license obligations and vulnerability risk.
Tracking and patching a component is easy if you have a complete Bill of Materials (BOM) to review and identify the usage of a vulnerable component. But if your security team is not regularly scanning your source code and dependencies for all evidence of open source components, this can be a very expensive manual discovery operation.
Investing in an open source management platform to track components and alert you on new vulnerabilities is very important. Here are some great resources to get started on the path to security.