CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

CVE–2017-9805, Equifax Breach & the Wacky World of Open Source Licenses

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805.  As always, the byword of the week is “patch and update.”

Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised. Your open source security and cybersecurity news follows…

Apache Struts Vulns Threatens Fortune 500 Data

via InfoSecurity: Mike Pittenger, VP of security strategy at Black Duck Software, elaborated on the point: “Once again, we see the importance of having full visibility to all of the components used in your software… this fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used.”

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

via Black Duck blog (Mike Pittenger): There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago… doing the same with software — maintaining an accurate list of all components used in each application—makes incident response much easier when vulnerabilities like this are disclosed. 

Learn Your 4 Options for Vulnerability Remediation

Diving Deep into Wild & Wacky Open Source Licenses

via Black Duck blog (Phil Odence): Copyleft terms seemed pretty strange to many seasoned attorneys familiar with commercial software licenses when they first encountered the GPL, but it is far from the weirdest license out there. While the GPL has come to be reasonably well-understood, a number of licenses on the lunatic fringe will surprise and perhaps amuse.

Court Ruling Adds New Power to Open Source Licenses

via IT Pro Windows: Any organization using open source software should make sure there is a strong open source policy in place that dots the "I"s and crosses the "T"s. Why? Because open source licenses recently became even more enforceable than they were already.

Breach at Equifax May Impact 143M Americans

via Krebs on Security:  I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.

A Cybersecurity Breach at Equifax Left Pretty Much Everyone's Financial Data Vulnerable

 via The Atlantic: For Americans who want to protect their personal information, there is no way, in our current system, to do so. On Thursday, Equifax, one of three major credit reporting agencies, revealed that highly sensitive personal and financial information for around 143 million U.S. consumers was compromised in a cybersecurity breach that began in late spring. There are only around 125 million households in the U.S.

See if You Were Affected by the Equifax Cybersecurity Incident | Equifax

via Equifax: Determine if your personal information may have been impacted by this incident.

Are You an Easy Hacking Target? Cybersecurity Tips for Small Business

via The Guardian:  A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. What’s more, new European regulation aimed at protecting personal data (GDPR) comes into force next year, and could result in fines of between 2% and 4% of annual turnover, or €20m (£18m), whichever is greater. Not only have hacks increased in frequency, but the impact on SMEs is getting much bigger.

Compliant? Sure, But With What?

via Black Duck blog (David Znidarsic, Founder & President of Stairstep Consulting): Open source management best practices require organizations to know the open source in their code in order to reduce risks, tighten policies, and monitor and audit for compliance and policy violations. Automating identification of all open source in use allows development and license teams to quickly gain visibility into any known open source security vulnerabilities as well as compliance issues, define and enforce open source use and risk policies, and continuously monitor for newly disclosed vulnerabilities.

German Election Voting Software Riddled With Holes, Researchers Warn

via ZDNet: As national elections loom, questions have surfaced about the security of Germany's voting results software.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

| Sep 15, 2017

It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been

| MORE >

Securing Software Stacks, Election Security, FDA Pacemaker Recall

| Sep 1, 2017

News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day,

| MORE >