Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn
Brian Fernandes
Director of Customer Engagement - Loves technology and almost everything related to computing. Wants to help you write better software. Follow at @brianfernandes.
Posted on Sep 15th 2017

Many of you may have heard of the Equifax data breach, possibly affecting millions of consumers. Information accessed by hackers during the incident included Social Security numbers, personal details, driver’s license numbers, and even credit card numbers.

Equifax has confirmed that the breach was made possible by a vulnerability in the Apache Struts Web Framework, used on their U.S. website. The multipart parser in Struts 2.2.3.x before 2.3.32, and 2.5.x before 2.5.10.1, mishandles file uploads, as detailed here: CVE-2017-5638.

This particular vulnerability was announced in March this year, and was patched by the Struts team on the very same day. However, Equifax failed to update their site to use these patched libraries in a timely manner, which ultimately led to the data being compromised.

A more detailed analysis of this incident, by the Apache Software Foundation, can be found here.