REPLY TO THREAD
|
Subject
|
Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw
|
User Name
|
|
|
|
|
Font color:
Font:
|
|
|
|
Original Message
|
Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw
"The massive Equifax data breach that exposed highly sensitive data of as many as 143 million people was caused by exploiting a flaw in Apache Struts framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed.
Credit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies.
Rated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1.
This flaw is separate from CVE-2017-9805, another Apache Struts2 vulnerability that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13.
Right after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its proof-of-concept (PoC) exploit code was uploaded to a Chinese site.
Despite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of nearly half of the US population."
Full Article: [link to thehackernews.com (secure)]
|
Pictures (click to insert)
|
| | | | | | | | | | | | | | | | | | | | | | | | | Next Page >> |
|