Equifax admits Apache Struts flaw behind megahack

Credit rating agency Equifax has confirmed that hackers exploited a vulnerability in the Apache Struts 2 web application framework to steal sensitive information on as many as 143 million of its customers.

The company today revealed attackers had exploited the CVE-2017-5638 vulnerability in Apache Struts 2.

Rated as a maximum 10.0 critical vulnerability, CVE-2017-5638 affects Apache Struts 2 2.3.x as well as version 2.5.x. 

It allows remote attackers to easily run arbitrary commands on vulnerable servers, and was exploited in the wild during March this year. The flaw has been fixed in Apache Struts 2 version 2.3.32 and 2.5.10.1.

It confirms suspicisions that an Apache Strust 2 vulnerability was used to attack Equifax, in one of the world's largest data breaches.

The Apache Software Foundation's Struts project management committee last week defended its security posture, but said there was little it could do if attackers discovered a zero-day vulnerability or reverse-engineered patches.

The committee warned that any complex software contains flaws.

"Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities," the Struts PMC said.

Equifax is currently trying to contain the fallout from the hack, and is offering free identity theft protection for people who are affected by the massive data leak.

The credit rating agency has also enabled a security freeze feature for access to people's information, but was criticised for creating a PIN that was simply a time and date stamp and easily guessable.

Equifax was forced to change the PIN generation method and now issues randomly generated numbers.