Despite Apache Struts releasing multiple updates to its software in the nearly two years since the Equifax breach, Sonatype published research which found that between July and December 2018, two-thirds of the Fortune 100 companies downloaded the same vulnerable version of Apache Struts that was used in the infamous Equifax breach, according to an email from Sonatype.
“According to our analysis of The Central Repository (defacto repository of Java components used by all the popular Java build tools as the source of the components by default), over last 6 months of 2018 – we saw 65 of the Fortune Global 100 have downloaded vulnerable versions of Struts,” a spokesperson wrote.
“Beyond Struts, this problem of electively consuming known vulnerable open source components is a large issue that extends across all industries. In 2018, Sonatype (Central report again) and npm reported that 12.1% of Java open source components and 51% of JavaScript npm packages downloaded had known vulnerabilities. Equifax is actually now leading the charge and taking action to manage their software supply chains. While Equifax has changed, too many others haven't learned their lesson; it's clear that the cost of inaction, is massive,” according to the spokesperson.
“The scope of companies that are still using CVE-2017-5638 demonstrates the importance of vulnerability identification. A researcher in our Crowd of ethical hackers identified CVE-2017-5638 months before the Equifax breach and submitted that information to one of our customers, a major worldwide financial services company. As a result, the customer remediated the vulnerability before a bad actor could take advantage of it,” said Ashish Gupta, CEO of Bugcrowd.
Vulnerability disclosures are intended to raise awareness and help to mitigate risks. After the Equifax breach, it was expected that more companies would have taken security seriously.
“We found the same vulnerability in major credit company’s environment several months before the Equifax breach and help prioritize and remediate the issue well before the company faced any reputational or financial risk from this vulnerability,” Gupta said.
“Since then we have worked with our researchers and other customers to further protect themselves from the Struts vulnerability successfully. If you haven’t already done so, anyone with Apache Struts in their environment should patch immediately. The best protection against such a breach is a layered defense-in-depth approach, a strong SDL (security development lifecycle) for all application development including a bug bounty. The security research community wants to help organizations find and fix these issues.”