Open Source software security and management vendor Black Duck has released a free tool to check for Apache Struts vulnerabilities. The tool is aimed at the same vulnerability that enabled the Equifax breach. It will search applications and containers for any sign of CVE-2017-5638. The tool is called Threat Check for Struts and requires registration on the Black Duck website.
According to Black Duck CEO Lou Shipley: “The Equifax breach never should have happened. Equifax has acknowledged that. Even though a patch for the exploited Apache Struts vulnerability had been for two months available when the breach occurred, it hadn’t been applied. Unfortunately, this is something we see time and again – a known, fixable open source vulnerability not being remediated.”
What does this mean?
The timing of this release is important. Security vendors such as Black Duck are reporting an increase in the number of attacks using this exploit. It is probable that the escalation is as a response to greater awareness of the vulnerability among hackers. There is also the likelihood that the attacks are hackers trying to beat remediation tools and patches.
Apache Struts is a widely used open source web application framework. This makes it an attractive target for hackers. Despite this, the CVE database contains a very small number of known vulnerabilities with the framework. There are only four reported vulnerabilities in the last three years. This is something that has also driven its growth as developers believe they can trust it.
The challenge with open source solutions is patching. When the software comes from a commercial vendor there is often a patching process in place. With many open source projects it is down to the developers to know about patches. They then have to assess the risk and then locate all applications using that code. This tends to slow down patching and is something that companies need to fix.
For Equifax, the lack of processes to understand where Apache Struts was used and a failure to patch has been disastrous. The share price is still down around 30% from the moment the breach was announced. With so many large organisations using Apache Struts in their enterprise software, it will be interesting to see how many download Threat Check for Struts.
