Apache Struts - Critical Security Flaw

DustinB3403

Update your servers folks.

The vulnerability hasn't been released yet, but has been announced. You have a few days.

hobbit666

will a apt-get upgrade be ok?

DustinB3403

Assuming you're running Apache Struts I would think so.

This isn't normal apache (httpd) that many of us have installed.

hobbit666

@dustinb3403 Ah OK missed that bit lol

QuixoticJustin

That's some old school stuff right there. Haven't seen anyone using Struts in a dog's age.

stacksofplates

@quixoticjustin said in Apache Struts - Critical Security Flaw:

That's some old school stuff right there. Haven't seen anyone using Struts in a dog's age.

A struts flaw was found back in March or so also. I think it's only legacy govt stuff on it now

DustinB3403

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

scottalanmiller

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

That's what they get for running ancient stuff that - no one serious has eyes on that stuff any longer.

DustinB3403

@scottalanmiller said in Apache Struts - Critical Security Flaw:

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

That's what they get for running ancient stuff that - no one serious has eyes on that stuff any longer.

We are a part of that group, being an adult in the US, who has credit means you and I and just about everyone else is screwed.

coliver

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

The fact that they didn't patch it makes it more concerning. It's not necessarily the architecture at that point. If they had updated their infrastructure and implemented a patch this would have been a non-issue.

coliver

@dustinb3403 So where does it go from incompetence to malevolent incompetence?

DustinB3403

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 So where does it go from incompetence to malevolent incompetence?

It's already at the point of being intentional. Everyone in the chain of command from the CEO to the head of the IT department to the System Administrator who didn't patch the system should be brought up on charges and burned at the stake.

scottalanmiller

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

The fact that they didn't patch it makes it more concerning. It's not necessarily the architecture at that point. If they had updated their infrastructure and implemented a patch this would have been a non-issue.

Is that true? The exploit has been there in Struts for a while but only recently announced. The breach was a while ago. I'm not sure that Struts had been patched at that point.

scottalanmiller

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 So where does it go from incompetence to malevolent incompetence?

When you accept the job knowing you are incompetent.

coliver

@scottalanmiller said in Apache Struts - Critical Security Flaw:

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

The fact that they didn't patch it makes it more concerning. It's not necessarily the architecture at that point. If they had updated their infrastructure and implemented a patch this would have been a non-issue.

Is that true? The exploit has been there in Struts for a while but only recently announced. The breach was a while ago. I'm not sure that Struts had been patched at that point.

It was patched two months prior to when the web application was exploited.

DustinB3403

@coliver said in Apache Struts - Critical Security Flaw:

@scottalanmiller said in Apache Struts - Critical Security Flaw:

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

The fact that they didn't patch it makes it more concerning. It's not necessarily the architecture at that point. If they had updated their infrastructure and implemented a patch this would have been a non-issue.

Is that true? The exploit has been there in Struts for a while but only recently announced. The breach was a while ago. I'm not sure that Struts had been patched at that point.

It was patched two months prior to when the web application was exploited.

No Equifax failed to patch until 2 months after they were breached.

momurda

Equifax was breached in May. Patch for Struts was in March. They announced the breach last week.

scottalanmiller

@momurda said in Apache Struts - Critical Security Flaw:

Equifax was breached in May. Patch for Struts was in March. They announced the breach last week.

Oh, well zero excuses then.

matteo nunziati

here is the Apache explanation

JaredBusch

Was the Eqifax breech because of the march strus flaw or a more recent one?

Just making sure the actual facts are known.