Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too

Thousands of companies may be susceptible to the same type of hack that recently struck Equifax.

The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, when the attack was finally detected.

Additionally, more than 46,000 organisations downloaded versions of Struts and/or its sub-projects with known vulnerabilities despite perfectly safe versions being available. Altogether, upwards of 50,000 organisations might be vulnerable to attack.

Why are developers still using vulnerable software packages when newer versions are available?

A variety of factors might be responsible, such as dependencies, old links in documentation, no time allotted to test newer versions, and simple fear of change. Compatibility is a big factor. "Over the years Struts versions have unsupported/broke features, plugins," noted infosec consultant Kevin Beaumont‏.

Jason Coulls, a mobile app developer, added: "Technical debt. If you don't keep up, compatibility will force you backwards."

Why wouldn't you patch?

Mike Pittenger, VP of security strategy at SecDevOps tools firm Black Duck Software, told El Reg that it could be that developers – whose work performance is generally judged by the functionality of their software rather than security factors – neglect to check whether the version of Struts they are using is secure or not.

Struts is a framework for web app development and the amount of work needed to patch a particular environment can vary widely. Sometimes there are valid reasons to defer patching. "Fixes could require API [program interface] changes or more testing to make sure you don't break things," Pittenger said.

Updating difficulty varies widely with vulnerability. A recent open-source security and risk analysis by Black Duck showed Apache Struts in 3.9 per cent of apps, 20 high-risk vulnerabilities per component.

Sonatype's figures are based on analysis of data from the Maven Central repository, the largest distribution point for Java open-source components.

Sonatype's 2017 State of the Software Supply Chain report found that 4.6 per cent (1 in 22) of the components used in production software have known vulnerabilities.

"Like people who accidentally bring expired milk home from the grocery store, companies that download and deploy known vulnerable open source components are simply not paying attention," said Wayne Jackson, Sonatype chief exec.

"The Equifax breach highlights the fact that perimeter security alone is not sufficient to protect personal data when hackers can easily exploit applications by targeting known vulnerable software components." ®