MEDIA ALERT: The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache® Struts™ Exploit

[Sally Khudairi <sk...@apache.org>]

[this announcement is available online at https://s.apache.org/7bip ]

Who: Apache® Struts™ is a popular Open Source framework for creating
enterprise-grade Java Web applications. Apache Struts powers front- and
back-end applications and Internet of Things (IoT) devices for many of
the world's most visible financial institutions, government
organizations, technology service providers, telecommunications
agencies, and Fortune 100 companies.

Apache Struts is an Apache Software Foundation Top-Level Project (since
2004) and is overseen by a self-selected team of active contributors to
the project. A Project Management Committee (PMC) guides the Project's
day-to-day operations, including community development and product
releases.

What: On 7 September 2017, credit reporting agency Equifax announced a
data breach affecting 143 million consumers.
https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628

Following this announcement, additional claims stated that the breach
was caused by CVE-2017-9805, an exploit in Apache Struts that was
disclosed on 4 September 2017.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/

On 9 September 2017, the Apache Struts PMC issued a statement on the
Equifax data breach that included details on its response process to
reported vulnerabilities and also provided recommended security
guidelines. https://s.apache.org/8thB

On 13 September 2017, Equifax issued a statement confirming that "The
vulnerability was Apache Struts CVE-2017-5638".
https://www.equifaxsecurity2017.com/

This vulnerability was patched on 7 March 2017, the same day it was
announced. https://cwiki.apache.org/confluence/display/WW/S2-045

In conclusion, the Equifax data compromise was due to their failure to
install the security updates provided in a timely manner.

When: Apache Struts CVE-2017-5638 was originally reported on 7 March
2017.

Where: For downloads, documentation (including security guide and
bulletins), and how to become involved with Apache Struts, visit
http://struts.apache.org/ and https://twitter.com/TheApacheStruts

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350
leading Open Source projects, including Apache HTTP Server --the world's
most popular Web server software. Through the ASF's meritocratic process
known as "The Apache Way," more than 650 individual Members and 6,200
Committers across six continents successfully collaborate to develop
freely available enterprise-grade software, benefiting millions of users
worldwide: thousands of software solutions are distributed under the
Apache License; and the community actively participates in ASF mailing
lists, mentoring initiatives, and ApacheCon, the Foundation's official
user conference, trainings, and expo. The ASF is a US 501(c)(3)
charitable organization, funded by individual donations and corporate
sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget
Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook,
Google, Hortonworks, HP, Huawei, IBM, Inspur, iSigma, LeaseWeb,
Microsoft, ODPi, PhoenixNAP, Pivotal, Private Internet Access, Red Hat,
Serenata Flowers, Target, WANdisco, and Yahoo. For more information,
visit http://apache.org/ and https://twitter.com/TheASF

# # #

NOTE: you are receiving this message because you are subscribed to the
announce@apache.org distribution list. To unsubscribe, send email from
the recipient account to announce-unsubscribe@apache.org with the word
"Unsubscribe" in the subject line.