CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

CVE–2017-9805, Equifax Breach & the Wacky World of Open Source Licenses

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805.  As always, the byword of the week is “patch and update.”

Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised. Your open source security and cybersecurity news follows…

Apache Struts Vulns Threatens Fortune 500 Data

via InfoSecurity: Mike Pittenger, VP of security strategy at Black Duck Software, elaborated on the point: “Once again, we see the importance of having full visibility to all of the components used in your software… this fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used.”

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

via Black Duck blog (Mike Pittenger): There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago… doing the same with software — maintaining an accurate list of all components used in each application—makes incident response much easier when vulnerabilities like this are disclosed. 


8 Takeaways from NIST’s Application Container Security Guide

Diving Deep into Wild & Wacky Open Source Licenses

via Black Duck blog (Phil Odence): Copyleft terms seemed pretty strange to many seasoned attorneys familiar with commercial software licenses when they first encountered the GPL, but it is far from the weirdest license out there. While the GPL has come to be reasonably well-understood, a number of licenses on the lunatic fringe will surprise and perhaps amuse.

Court Ruling Adds New Power to Open Source Licenses

via IT Pro Windows: Any organization using open source software should make sure there is a strong open source policy in place that dots the "I"s and crosses the "T"s. Why? Because open source licenses recently became even more enforceable than they were already.

Breach at Equifax May Impact 143M Americans

via Krebs on Security:  I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.

A Cybersecurity Breach at Equifax Left Pretty Much Everyone's Financial Data Vulnerable

 via The Atlantic: For Americans who want to protect their personal information, there is no way, in our current system, to do so. On Thursday, Equifax, one of three major credit reporting agencies, revealed that highly sensitive personal and financial information for around 143 million U.S. consumers was compromised in a cybersecurity breach that began in late spring. There are only around 125 million households in the U.S.

See if You Were Affected by the Equifax Cybersecurity Incident | Equifax

via Equifax: Determine if your personal information may have been impacted by this incident.

Are You an Easy Hacking Target? Cybersecurity Tips for Small Business

via The Guardian:  A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. What’s more, new European regulation aimed at protecting personal data (GDPR) comes into force next year, and could result in fines of between 2% and 4% of annual turnover, or €20m (£18m), whichever is greater. Not only have hacks increased in frequency, but the impact on SMEs is getting much bigger.

Compliant? Sure, But With What?

via Black Duck blog (David Znidarsic, Founder & President of Stairstep Consulting): Open source management best practices require organizations to know the open source in their code in order to reduce risks, tighten policies, and monitor and audit for compliance and policy violations. Automating identification of all open source in use allows development and license teams to quickly gain visibility into any known open source security vulnerabilities as well as compliance issues, define and enforce open source use and risk policies, and continuously monitor for newly disclosed vulnerabilities.

German Election Voting Software Riddled With Holes, Researchers Warn

via ZDNet: As national elections loom, questions have surfaced about the security of Germany's voting results software.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


SEC and Cybersec Risks, GDPR Looms, What’s Going on with the NVD?

| Feb 23, 2018

In this week’s open source security and cybersecurity news: Free software comes with a price. Learn how a PE firm wraps open source due diligence into its tech investing. The SEC provides guidance on public cybersecurity. The Defense Department (re)launches its open source portal. A look at

| MORE >

Big Data Breaches, Costly Cyberattacks, Vuln Detection for Kubernetes

| Feb 16, 2018

  This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and

| MORE >

Happy Birthday Open Source and Application Security for 2018

| Feb 9, 2018

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical

| MORE >