Posted on Sep 15th 2017
Many of you may have heard of the Equifax data breach, possibly affecting millions of consumers. Information accessed by hackers during the incident included Social Security numbers, personal details, driver’s license numbers, and even credit card numbers.
Equifax has confirmed that the breach was made possible by a vulnerability in the Apache Struts Web Framework, used on their U.S. website. The multipart parser in Struts 2.2.3.x before 2.3.32, and 2.5.x before 220.127.116.11, mishandles file uploads, as detailed here: CVE-2017-5638.
This particular vulnerability was announced in March this year, and was patched by the Struts team on the very same day. However, Equifax failed to update their site to use these patched libraries in a timely manner, which ultimately led to the data being compromised.
A more detailed analysis of this incident, by the Apache Software Foundation, can be found here.