Struts 2 breach was 100% preventable

In September 2017, Equifax announced a cyber-security breach of substantial extent. Equifax Inc., founded 1899 and located in Atlanta, Georgia, is a consumer credit reporting agency and one of the largest US credit agencies. In the attack, which the company claims to have occurred between mid-May and July 2017, approximately 145 million U.S. Equifax consumers' personal data, including their full names, social security numbers, birth dates, addresses, and, in some cases, driver license numbers and consumers' credit card credentials were taken. Residents in the United Kingdom and Canada were also impacted.

Sonatype, as stewards of the Central Repository, which is the default repository for Apache Maven, SBT and other build systems, share their perspective on the matter:

  1. Apache Struts:  Apache Struts is a popular open-source and free Model-View-Controller (MVC) framework for Java. It is developed and maintained by an active and highly responsible community of volunteer contributors. The Apache Struts project has a long and well documented history of securing, hardening, and maintaining the software that it produces.

  2. Struts Vulnerabilities:  The week commencing September 4 the Apache Struts project team disclosed to the world two different critical vulnerabilities in Struts2 that would expose applications to remote execution of code and enable direct access to customer-critical data. In both cases, and in keeping with their long standing practice, the Apache Struts team made fixes available prior to publicly disclosing the vulnerabilities.

  3. Equifax Breach Disclosed:  Separately, Equifax announced in the same week that it had suffered a massive security breach that exposed sensitive information. Equifax said the breach happened between mid-May and July 2017. It discovered the hack on July 29.  It informed the public on September 7, and reports suggest that a security vulnerability in Apache Struts was the cause of the breach.

Sonatype says that they don't pretend to know for certain what happened at Equifax, but that they know that Apache Struts has a tremendous track record for finding security vulnerabilities and making fixes available in a timely manner.

Organizations such as Equifax who leverage open source to accelerate innovation are themselves responsible for practicing appropriate hygiene in a timely manner when fixes for vulnerabilities are made available.

For far too long, businesses have relied on network-based cyber security tools to defend the perimeter of the organization.  The events at Equifax serve as a stark reminder that perimeter defences by themselves are insufficient to protect critical data when in fact hackers are increasingly attacking vulnerabilities that exist in the application layer.

80% to 90% of every modern application consists of open source components. Therefore, in order to avoid unnecessary risk, organizations MUST automatically and continuously govern the quality of open source components and third-party libraries within their software supply chains.  To ignore this problem anymore is simply negligent. 

In this video, Ilkka Turunen, Solutions Architect at Sonatype, walks through how Nexus Lifeycycle would have alerted an organization to its use of an open source component with a known vulnerability, and then shown steps to remediation. https://youtu.be/l7WHQp-Zf0w

Other sources:

State of the Software Supply Chain Report 2017
122.000 OSS projects, 7.500 development teams, 17.000 applications:
http://www.aservo.com/en/news/state-software-supply-chain

 

Free Application Health Check
Scan your appplications and learen more:
http://www.aservo.com/en/know-how/sonatype-en