To all QA Consultants Customers, Contacts, and Friends,
You have likely heard about the Equifax breach by now, which on September 7, 2017, grabbed headlines around the world as Equifax revealed that personal data of roughly 143 million consumers in the United States and certain UK and Canadian residents had been compromised. Equifax has not issued a public statement pinpointing which vulnerability was exploited. However, multiple sources have reported Equifax and their agents have attributed this breach to a vulnerability in Apache Struts, a free, open-source framework for creating Java-based web applications.
QA Consultants RootSecure Managed Cyber Risk Service Customers
If you are one of our QA Consultants RootSecure Managed Cyber Risk Service Customers:
- RootSecure detects Apache Struts components and their vulnerabilities on web servers
- If the industry consensus is correct, RootSecure identified the key vulnerability in the Equifax breach as far back as April 2017, clearly identifying this as a critical, high priority issue to mitigate
- Upon discovery in customer networks, the RootSecure SOC immediately recommended patching procedures that when executed, were proven to be 100% successful in elimination of these specific Apache Struts vulnerabilities
- We remain concerned, however, if your web application properties are not within the scanning surface range of your RootSecure deployed sensor, you may still be at risk
- Please include these subnets / hosts within your RootSecure scanning range
- Contact the RootSecure SOC through normal channels
Non-RootSecure Customers
For Non-RootSecure Customers who may be at risk:
- You will need to identify where you may have web applications being internally developed or third-party deployed, notably using Java Enterprise Edition, built on this architecture
- It is likely that such an implementation will utilize Apache Struts as a component in some way even if you are not aware of this, as it very well could be a third-party component included within your purchased systems
- RootSecure can be quickly deployed to help you discover this issue even where you might not know whether the Apache Struts component even exists within your infrastructure
- Ensure that the latest patches are applied to Apache Struts (instructions are in the FAQ)
- We are now prepared to field outside requests for assistance from this event
Please contact us at [email protected] and specify “Equifax Assist” in the subject header
Without these kinds of vulnerabilities continuously emerging and remaining prevalent in networks everywhere, these vicious and malicious global disasters could never occur. Subsequently, we hope that we can come together as a community, and make Managed Cyber-Risk “an important thing to do” for everyone to stay safe.