CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

CVE–2017-9805, Equifax Breach & the Wacky World of Open Source Licenses

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805.  As always, the byword of the week is “patch and update.”

Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised. Your open source security and cybersecurity news follows…

Apache Struts Vulns Threatens Fortune 500 Data

via InfoSecurity: Mike Pittenger, VP of security strategy at Black Duck Software, elaborated on the point: “Once again, we see the importance of having full visibility to all of the components used in your software… this fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used.”

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

via Black Duck blog (Mike Pittenger): There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago… doing the same with software — maintaining an accurate list of all components used in each application—makes incident response much easier when vulnerabilities like this are disclosed. 

 

Threat Check for Struts

Diving Deep into Wild & Wacky Open Source Licenses

via Black Duck blog (Phil Odence): Copyleft terms seemed pretty strange to many seasoned attorneys familiar with commercial software licenses when they first encountered the GPL, but it is far from the weirdest license out there. While the GPL has come to be reasonably well-understood, a number of licenses on the lunatic fringe will surprise and perhaps amuse.

Court Ruling Adds New Power to Open Source Licenses

via IT Pro Windows: Any organization using open source software should make sure there is a strong open source policy in place that dots the "I"s and crosses the "T"s. Why? Because open source licenses recently became even more enforceable than they were already.

Breach at Equifax May Impact 143M Americans

via Krebs on Security:  I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.

A Cybersecurity Breach at Equifax Left Pretty Much Everyone's Financial Data Vulnerable

 via The Atlantic: For Americans who want to protect their personal information, there is no way, in our current system, to do so. On Thursday, Equifax, one of three major credit reporting agencies, revealed that highly sensitive personal and financial information for around 143 million U.S. consumers was compromised in a cybersecurity breach that began in late spring. There are only around 125 million households in the U.S.

See if You Were Affected by the Equifax Cybersecurity Incident | Equifax

via Equifax: Determine if your personal information may have been impacted by this incident.

Are You an Easy Hacking Target? Cybersecurity Tips for Small Business

via The Guardian:  A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. What’s more, new European regulation aimed at protecting personal data (GDPR) comes into force next year, and could result in fines of between 2% and 4% of annual turnover, or €20m (£18m), whichever is greater. Not only have hacks increased in frequency, but the impact on SMEs is getting much bigger.

Compliant? Sure, But With What?

via Black Duck blog (David Znidarsic, Founder & President of Stairstep Consulting): Open source management best practices require organizations to know the open source in their code in order to reduce risks, tighten policies, and monitor and audit for compliance and policy violations. Automating identification of all open source in use allows development and license teams to quickly gain visibility into any known open source security vulnerabilities as well as compliance issues, define and enforce open source use and risk policies, and continuously monitor for newly disclosed vulnerabilities.

German Election Voting Software Riddled With Holes, Researchers Warn

via ZDNet: As national elections loom, questions have surfaced about the security of Germany's voting results software.

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

You Can’t Beat Hackers and the Pentagon Moves into Open Source

| Nov 17, 2017

We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And

| MORE >

It Wasn’t an Equifax Toaster That Stole 145M People’s Personal Data

| Nov 15, 2017

The good news? Bad guy hackers are lazy, and will move on to easier pickings when confronted with good security. The bad news?  Good security is often expensive, and not necessarily a cost businesses are enthusiastic about adding to product prices and passing on to customers. Those were key

| MORE >

Black Duck Announces OpsSight for DevOps Open Source Security

| Nov 10, 2017

Continuing a month of major announcements, Black Duck launched its new product, OpsSight — comprehensive, automated open source container security for production environments — at its FLIGHT 2017 user conference in Boston this week. Targeting the production phase of the software development life

| MORE >