Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805. As always, the byword of the week is “patch and update.”
Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised. Your open source security and cybersecurity news follows…
via InfoSecurity: Mike Pittenger, VP of security strategy at Black Duck Software, elaborated on the point: “Once again, we see the importance of having full visibility to all of the components used in your software… this fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used.”
via Black Duck blog (Mike Pittenger): There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago… doing the same with software — maintaining an accurate list of all components used in each application—makes incident response much easier when vulnerabilities like this are disclosed.
via Black Duck blog (Phil Odence): Copyleft terms seemed pretty strange to many seasoned attorneys familiar with commercial software licenses when they first encountered the GPL, but it is far from the weirdest license out there. While the GPL has come to be reasonably well-understood, a number of licenses on the lunatic fringe will surprise and perhaps amuse.
via IT Pro Windows: Any organization using open source software should make sure there is a strong open source policy in place that dots the "I"s and crosses the "T"s. Why? Because open source licenses recently became even more enforceable than they were already.
via Krebs on Security: I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.
via The Atlantic: For Americans who want to protect their personal information, there is no way, in our current system, to do so. On Thursday, Equifax, one of three major credit reporting agencies, revealed that highly sensitive personal and financial information for around 143 million U.S. consumers was compromised in a cybersecurity breach that began in late spring. There are only around 125 million households in the U.S.
via Equifax: Determine if your personal information may have been impacted by this incident.
via The Guardian: A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. What’s more, new European regulation aimed at protecting personal data (GDPR) comes into force next year, and could result in fines of between 2% and 4% of annual turnover, or €20m (£18m), whichever is greater. Not only have hacks increased in frequency, but the impact on SMEs is getting much bigger.
via Black Duck blog (David Znidarsic, Founder & President of Stairstep Consulting): Open source management best practices require organizations to know the open source in their code in order to reduce risks, tighten policies, and monitor and audit for compliance and policy violations. Automating identification of all open source in use allows development and license teams to quickly gain visibility into any known open source security vulnerabilities as well as compliance issues, define and enforce open source use and risk policies, and continuously monitor for newly disclosed vulnerabilities.
via ZDNet: As national elections loom, questions have surfaced about the security of Germany's voting results software.