Author: Joel Hruska / Source: ExtremeTech
Last week, a massive hack of the credit bureau Equifax stole critical personally identifiable information (PII) on 143 million US citizens. The company’s response to the incident has been strongly criticized, and now we know the incompetence isn’t limited to the customer-facing sections of the company. The flaws that allowed hackers to penetrate Equifax and steal its customer data were patched several months ago.
The flaw in question is within Apache Struts and is identified CVE-2017-5638. It’s described as a flaw in file upload handling, which “allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.”
This flaw was fixed on March 6, 2017. It was already under heavy attack by March 9 and Ars Technica reports it was still being exploited on March 11. Equifax was penetrated in mid-May, meaning the company waited more than two months to apply mission-critical patches that were ranked at the highest degree of severity and reported in multiple security publications and notices. This isn’t some minor issue that got swept under the rug by a vendor and happened to…
Click here to read more