Equifax admits Apache Struts flaw behind megahack

By

Vulnerability exploited in the wild since March.

Credit rating agency Equifax has confirmed that hackers exploited a vulnerability in the Apache Struts 2 web application framework to steal sensitive information on as many as 143 million of its customers.

Equifax admits Apache Struts flaw behind megahack

The company today revealed attackers had exploited the CVE-2017-5638 vulnerability in Apache Struts 2.

Rated as a maximum 10.0 critical vulnerability, CVE-2017-5638 affects Apache Struts 2 2.3.x as well as version 2.5.x. 

It allows remote attackers to easily run arbitrary commands on vulnerable servers, and was exploited in the wild during March this year. The flaw has been fixed in Apache Struts 2 version 2.3.32 and 2.5.10.1.

It confirms suspicisions that an Apache Strust 2 vulnerability was used to attack Equifax, in one of the world's largest data breaches.

The Apache Software Foundation's Struts project management committee last week defended its security posture, but said there was little it could do if attackers discovered a zero-day vulnerability or reverse-engineered patches.

The committee warned that any complex software contains flaws.

"Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities," the Struts PMC said.

Equifax is currently trying to contain the fallout from the hack, and is offering free identity theft protection for people who are affected by the massive data leak.

The credit rating agency has also enabled a security freeze feature for access to people's information, but was criticised for creating a PIN that was simply a time and date stamp and easily guessable.

Equifax was forced to change the PIN generation method and now issues randomly generated numbers.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

Log In

  |  Forgot your password?