SlideShare a Scribd company logo

Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

Download as PPTX, PDF
Black Duck by Synopsys
Black Duck by Synopsys

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805. As always, the byword of the week is “patch and update.” Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised.

1 of 16
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses By Fred Bals | Senior Content Writer/Editor
Cybersecurity News This Week Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017- 9805. As always, the byword of the week is “patch and update.” Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised.
• Apache Struts Vulns Threatens Fortune 500 Data • "Easy" to Hack Apache Struts Vulnerability CVE-2017-9805 • Diving Deep into Wild & Wacky Open Source Licenses • Court Ruling Adds New Power to Open Source Licenses • Breach at Equifax May Impact 143M Americans Open Source News
More Open Source News • A Cybersecurity Breach at Equifax Left Pretty Much Everyone's Financial Data Vulnerable • See if You Were Affected by the Equifax Cybersecurity Incident | Equifax • Are You an Easy Hacking Target? Cybersecurity Tips for Small Business • Compliant? Sure, But With What? • German Election Voting Software Riddled With Holes, Researchers Warn
via InfoSecurity: Mike Pittenger, VP of security strategy at Black Duck Software, elaborated on the point: “Once again, we see the importance of having full visibility to all of the components used in your software… this fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used.” Apache Struts Vulns Threatens Fortune 500 Data
"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805 via Black Duck blog (Mike Pittenger): There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago… doing the same with software — maintaining an accurate list of all components used in each application—makes incident response much easier when vulnerabilities like this are disclosed.
via Black Duck blog (Phil Odence): Copyleft terms seemed pretty strange to many seasoned attorneys familiar with commercial software licenses when they first encountered the GPL, but it is far from the weirdest license out there. While the GPL has come to be reasonably well- understood, a number of licenses on the lunatic fringe will surprise and perhaps amuse. Diving Deep into Wild & Wacky Open Source Licenses
Court Ruling Adds New Power to Open Source Licenses via IT Pro Windows: Any organization using open source software should make sure there is a strong open source policy in place that dots the "I"s and crosses the "T"s. Why? Because open source licenses recently became even more enforceable than they were already.
via Krebs on Security: I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three. Breach at Equifax May Impact 143M Americans
A Cybersecurity Breach at Equifax Left Pretty Much Everyone's Financial Data Vulnerable via The Atlantic: For Americans who want to protect their personal information, there is no way, in our current system, to do so. On Thursday, Equifax, one of three major credit reporting agencies, revealed that highly sensitive personal and financial information for around 143 million U.S. consumers was compromised in a cybersecurity breach that began in late spring. There are only around 125 million households in the U.S.
via Equifax: Determine if your personal information may have been impacted by this incident. See if You Were Affected by the Equifax Cybersecurity Incident | Equifax
Are You an Easy Hacking Target? Cybersecurity Tips for Small Business via The Guardian: A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. What’s more, new European regulation aimed at protecting personal data (GDPR) comes into force next year, and could result in fines of between 2% and 4% of annual turnover, or €20m (£18m), whichever is greater. Not only have hacks increased in frequency, but the impact on SMEs is getting much bigger.
via Black Duck blog (David Znidarsic, Founder & President of Stairstep Consulting): Open source management best practices require organizations to know the open source in their code in order to reduce risks, tighten policies, and monitor and audit for compliance and policy violations. Automating identification of all open source in use allows development and license teams to quickly gain visibility into any known open source security vulnerabilities as well as compliance issues, define and enforce open source use and risk policies, and continuously monitor for newly disclosed vulnerabilities. Compliant? Sure, But With What?
German Election Voting Software Riddled With Holes, Researchers Warn via ZDNet: As national elections loom, questions have surfaced about the security of Germany's voting results software.
Subscribe Stay up to date on open source security and cybersecurity �� subscribe to our blog today.
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

More Related Content

Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

  • 1. Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses By Fred Bals | Senior Content Writer/Editor
  • 2. Cybersecurity News This Week Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017- 9805. As always, the byword of the week is “patch and update.” Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised.
  • 3. • Apache Struts Vulns Threatens Fortune 500 Data • "Easy" to Hack Apache Struts Vulnerability CVE-2017-9805 • Diving Deep into Wild & Wacky Open Source Licenses • Court Ruling Adds New Power to Open Source Licenses • Breach at Equifax May Impact 143M Americans Open Source News
  • 4. More Open Source News • A Cybersecurity Breach at Equifax Left Pretty Much Everyone's Financial Data Vulnerable • See if You Were Affected by the Equifax Cybersecurity Incident | Equifax • Are You an Easy Hacking Target? Cybersecurity Tips for Small Business • Compliant? Sure, But With What? • German Election Voting Software Riddled With Holes, Researchers Warn
  • 5. via InfoSecurity: Mike Pittenger, VP of security strategy at Black Duck Software, elaborated on the point: “Once again, we see the importance of having full visibility to all of the components used in your software… this fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used.” Apache Struts Vulns Threatens Fortune 500 Data
  • 6. "Easy" to Hack Apache Struts Vulnerability CVE-2017-9805 via Black Duck blog (Mike Pittenger): There is a simpler way to handle these incidents, and it's not new nor a secret. In fact, the automotive industry solved this problem over one hundred years ago… doing the same with software — maintaining an accurate list of all components used in each application—makes incident response much easier when vulnerabilities like this are disclosed.
  • 7. via Black Duck blog (Phil Odence): Copyleft terms seemed pretty strange to many seasoned attorneys familiar with commercial software licenses when they first encountered the GPL, but it is far from the weirdest license out there. While the GPL has come to be reasonably well- understood, a number of licenses on the lunatic fringe will surprise and perhaps amuse. Diving Deep into Wild & Wacky Open Source Licenses
  • 8. Court Ruling Adds New Power to Open Source Licenses via IT Pro Windows: Any organization using open source software should make sure there is a strong open source policy in place that dots the "I"s and crosses the "T"s. Why? Because open source licenses recently became even more enforceable than they were already.
  • 9. via Krebs on Security: I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three. Breach at Equifax May Impact 143M Americans
  • 10. A Cybersecurity Breach at Equifax Left Pretty Much Everyone's Financial Data Vulnerable via The Atlantic: For Americans who want to protect their personal information, there is no way, in our current system, to do so. On Thursday, Equifax, one of three major credit reporting agencies, revealed that highly sensitive personal and financial information for around 143 million U.S. consumers was compromised in a cybersecurity breach that began in late spring. There are only around 125 million households in the U.S.
  • 11. via Equifax: Determine if your personal information may have been impacted by this incident. See if You Were Affected by the Equifax Cybersecurity Incident | Equifax
  • 12. Are You an Easy Hacking Target? Cybersecurity Tips for Small Business via The Guardian: A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. What’s more, new European regulation aimed at protecting personal data (GDPR) comes into force next year, and could result in fines of between 2% and 4% of annual turnover, or €20m (£18m), whichever is greater. Not only have hacks increased in frequency, but the impact on SMEs is getting much bigger.
  • 13. via Black Duck blog (David Znidarsic, Founder & President of Stairstep Consulting): Open source management best practices require organizations to know the open source in their code in order to reduce risks, tighten policies, and monitor and audit for compliance and policy violations. Automating identification of all open source in use allows development and license teams to quickly gain visibility into any known open source security vulnerabilities as well as compliance issues, define and enforce open source use and risk policies, and continuously monitor for newly disclosed vulnerabilities. Compliant? Sure, But With What?
  • 14. German Election Voting Software Riddled With Holes, Researchers Warn via ZDNet: As national elections loom, questions have surfaced about the security of Germany's voting results software.
  • 15. Subscribe Stay up to date on open source security and cybersecurity – subscribe to our blog today.