BLACK DUCK RELEASES THREAT CHECK FOR STRUTS; FREE-USE TOOL ALLOWS ORGANISATIONS WORLDWIDE TO AUTO-DETECT EQUIFAX VULNERABILITY

CEO – “Equifax breach shouldn’t have happened. Further exploits must be avoided”

Black Duck, the global leader in automated solutions for securing and managing open source software, today announced availability of a free-use tool that enables organisations to determine if they are at risk from the Apache Struts vulnerability that was exploited in the recent, high-profile Equifax breach.

Black Duck said Threat Check for Struts can rapidly and accurately analyse applications or containers to detect Struts vulnerabilities, including CVE-2017-5638 that was exploited at Equifax, resulting in the theft of the personal data of 143 million consumers.

“The Equifax breach never should have happened,” said Black Duck CEO Lou Shipley. “Equifax has acknowledged that. Even though a patch for the exploited Apache Struts vulnerability had been for two months available when the breach occurred, it hadn’t been applied. Unfortunately, this is something we see time and again – a known, fixable open source vulnerability not being remediated.”

Shipley said that because Apache Struts is so widely used, including by Fortune 100 companies, to build corporate websites and web applications in sectors including education, government, financial services, retail and media, “we wanted to avoid any additional exploits that could be even more costly and damaging than the one at Equifax.”

Black Duck said it encourages companies to make use of Threat Check for Struts to address this current issue as quickly as possible.

Although open source software – such as Apache Struts – comprises 80 to 90 percent of the code in modern applications, Shipley said most organisations lack good visibility into the open source they are using. He said that even when patches/fixes for known open source vulnerabilities are available, because most companies lack automated processes for identifying and monitoring their open source, they are often unaware that they are using a vulnerable open source component, or that there is a fix available.