Who: Apache® Struts™ is a popular Open Source framework for creating enterprise-grade Java Web applications. Apache Struts powers front- and back-end applications and Internet of Things (IoT) devices for many of the world's most visible financial institutions, government organizations, technology service providers, telecommunications agencies, and Fortune 100 companies.
Apache Struts is an Apache Software Foundation Top-Level Project (since 2004) and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases.
What: On 7 September 2017, credit reporting agency Equifax announced a data breach affecting 143 million consumers. https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
Following this announcement, additional claims stated that the breach was caused by CVE-2017-9805, an exploit in Apache Struts that was disclosed on 4 September 2017. https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
On 9 September 2017, the Apache Struts PMC issued a statement on the Equifax data breach that included details on its response process to reported vulnerabilities and also provided recommended security guidelines. https://s.apache.org/8thB
On 13 September 2017, Equifax issued a statement confirming that "The vulnerability was Apache Struts CVE-2017-5638". https://www.equifaxsecurity2017.com/
This vulnerability was patched on 7 March 2017, the same day it was announced. https://cwiki.apache.org/confluence/display/WW/S2-045
In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.
When: Apache Struts CVE-2017-5638 was originally reported on 7 March 2017.
Where: For downloads, documentation (including security guide and bulletins), and how to become involved with Apache Struts, visit http://struts.apache.org/ and https://twitter.com/TheApacheStruts
About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 650 individual Members and 6,200 Committers across six continents successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, Inspur, iSigma, LeaseWeb, Microsoft, ODPi, PhoenixNAP, Pivotal, Private Internet Access, Red Hat, Serenata Flowers, Target, WANdisco, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF
Media contact:
Sally Khudairi
Vice President
The Apache Software Foundation
Tel/WhatsApp +1 617 921 8656
# # #
© The Apache Software Foundation. "Apache", "Struts", "Apache Struts", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.