In the past year, 3,054 organizations downloaded the same Struts2 component exploited in Equifax hack
Fulton, MD – September 18, 2017 - Sonatype, the leader in software supply chain automation, today released new data on the number of organizations that have downloaded vulnerable versions of the Struts2 component (CVE-2017-5638) exploited in the massive breach at Equifax.
Analyzing data from the Maven Central repository, the largest distribution point for Java open source components, Sonatype found a startling lack of hygiene related to enterprise consumption of vulnerable Struts2 components. The company’s research reveals that in the last 12 months:
- 3,054 organizations downloaded the exact version of Struts2 that was publicly disclosed as vulnerable on March 7, 2017 and subsequently exploited at Equifax between May and July 2017.
- 1,731 organizations downloaded versions of Struts2 that were publicly disclosed as vulnerable in July 2013, that resulted in numerous breaches in major organizations in the weeks following disclosure.
- 46,557 organizations downloaded a version of Struts and/or its sub projects with known vulnerabilities despite perfectly safe versions being available.
In an effort to accelerate innovation and avoid redundant costs, organizations are embracing open source at an extraordinary pace. Last year alone, enterprise developers requested more than 100 billion components from repositories such as Maven Central, NPM, and PyPI. Today, 80 - 90% of a typical application consists of open source components, like Apache Struts. Yet, according to Sonatype’s 2017 DevSecOps Community Survey, 43 percent of organizations say they have no formal policy to govern the quality and security of open source software components utilized in their applications.
Additionally, Sonatype’s 2017 State of the Software Supply Chain report found that 4.6 percent (1 in 22) of the components used in production software have known vulnerabilities.
“Like people who accidentally bring expired milk home from the grocery store, companies that download and deploy known vulnerable open source components are simply not paying attention,” said Wayne Jackson, CEO of Sonatype. “The Equifax breach highlights the fact that perimeter security alone is not sufficient to protect personal data when hackers can easily exploit applications by targeting known vulnerable software components.”
Proposed legislation in the U.S. and the General Data Protection Regulation (GDPR) soon to take effect in the European Union will hold organizations liable for poor software supply chain hygiene. In the past year in the U.S., the White House, four federal agencies, and the automotive industry have released new guidelines to improve the quality, safety, and security of software supply chains.
- Read the 2017 State of the Software Supply Chain report.
- Read the 2017 DevSecOps Community Survey Report.
- Review the Internet of Things (IoT) Cybersecurity Improvement Act of 2017
- Analyze your applications for vulnerable open source components (free service).
- Learn more about Sonatype’s software supply chain automation solutions.
- Additional background on Struts, the Struts2 vulnerabilities and the Equifax breach.
Sonatype is the leading provider of DevOps-native tools to automate modern software supply chains. As the creators of Apache Maven, the Central Repository, and Nexus Repository, Sonatype pioneered componentized software development and has a rich history of supporting open source innovation. Today, more than 120,000 organizations depend on Sonatype’s Nexus platform to govern the volume, variety, and quality of open source components flowing into modern software applications. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, Morgenthaler Ventures, Bay Partners and Goldman Sachs. Learn more at www.sonatype.com.
SpeakerBox Communications for Sonatype