[conspire] I get mail
Rick Moen
rick at linuxmafia.com
Wed Jan 3 21:24:17 PST 2018
Quoting Mike Higashi (mhigashi at gmail.com):
> Wasn't Struts how Equifax got breached?
Yes, and oddly enough it was a bug in Struts 2 -- what I'd call an
abject and alarming failure to do input validation on received public
data input, such that Struts's 'Jakarta Multipart' parser could be
fooled into running arbitrary command submitted to it in HTTP file
upload attempts.
https://nvd.nist.gov/vuln/detail/CVE-2017-5638
https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
This is very reminiscent of a lot of PHP security calamities.
In fairness, Equifax didn't bother to apply a critical security bug fix
for more than two months.
More information about the conspire
mailing list