Apache Struts - Critical Security Flaw

DustinB3403

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 So where does it go from incompetence to malevolent incompetence?

It's already at the point of being intentional. Everyone in the chain of command from the CEO to the head of the IT department to the System Administrator who didn't patch the system should be brought up on charges and burned at the stake.

scottalanmiller

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

The fact that they didn't patch it makes it more concerning. It's not necessarily the architecture at that point. If they had updated their infrastructure and implemented a patch this would have been a non-issue.

Is that true? The exploit has been there in Struts for a while but only recently announced. The breach was a while ago. I'm not sure that Struts had been patched at that point.

scottalanmiller

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 So where does it go from incompetence to malevolent incompetence?

When you accept the job knowing you are incompetent.

coliver

@scottalanmiller said in Apache Struts - Critical Security Flaw:

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

The fact that they didn't patch it makes it more concerning. It's not necessarily the architecture at that point. If they had updated their infrastructure and implemented a patch this would have been a non-issue.

Is that true? The exploit has been there in Struts for a while but only recently announced. The breach was a while ago. I'm not sure that Struts had been patched at that point.

It was patched two months prior to when the web application was exploited.

DustinB3403

@coliver said in Apache Struts - Critical Security Flaw:

@scottalanmiller said in Apache Struts - Critical Security Flaw:

@coliver said in Apache Struts - Critical Security Flaw:

@dustinb3403 said in Apache Struts - Critical Security Flaw:

Oh wonderful. . .

Strut flaw was the root cause of the Equifax breach.

The fact that they didn't patch it makes it more concerning. It's not necessarily the architecture at that point. If they had updated their infrastructure and implemented a patch this would have been a non-issue.

Is that true? The exploit has been there in Struts for a while but only recently announced. The breach was a while ago. I'm not sure that Struts had been patched at that point.

It was patched two months prior to when the web application was exploited.

No Equifax failed to patch until 2 months after they were breached.

momurda

Equifax was breached in May. Patch for Struts was in March. They announced the breach last week.

scottalanmiller

@momurda said in Apache Struts - Critical Security Flaw:

Equifax was breached in May. Patch for Struts was in March. They announced the breach last week.

Oh, well zero excuses then.

matteo nunziati

here is the Apache explanation

JaredBusch

Was the Eqifax breech because of the march strus flaw or a more recent one?

Just making sure the actual facts are known.

coliver

@jaredbusch said in Apache Struts - Critical Security Flaw:

Was the Eqifax breech because of the march strus flaw or a more recent one?

Just making sure the actual facts are known.

The one from March.