Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805. As always, the byword of the week is “patch and update.” Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised.

1. Open Source Insight:
CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
By Fred Bals | Senior Content Writer/Editor

2. Cybersecurity News This Week
Our vulnerability of the week is CVE-2017-9805, which resides in
Apache Struts’ REST plugin, a must-have in almost all Struts
enterprise deployments. Attackers can exploit the bug via HTTP
requests or via any other socket connection, with a public exploit
published on Thursday. Happily, on Monday the Apache Struts team
released Apache Struts v2.5.13, which includes a fix for CVE-2017-
9805. As always, the byword of the week is “patch and update.”
Also looming large in this week’s news is the massive cyber-break-in
at Equifax, where highly sensitive personal and financial information
for around 143 million U.S. consumers (the editor apparently being
among those affected) was compromised.

3. • Apache Struts Vulns Threatens Fortune 500 Data
• "Easy" to Hack Apache Struts Vulnerability
CVE-2017-9805
• Diving Deep into Wild & Wacky Open Source
Licenses
• Court Ruling Adds New Power to Open Source
Licenses
• Breach at Equifax May Impact 143M Americans
Open Source News

4. More Open Source News
• A Cybersecurity Breach at Equifax Left Pretty Much
Everyone's Financial Data Vulnerable
• See if You Were Affected by the Equifax Cybersecurity
Incident | Equifax
• Are You an Easy Hacking Target? Cybersecurity Tips for
Small Business
• Compliant? Sure, But With What?
• German Election Voting Software Riddled With Holes,
Researchers Warn

5. via InfoSecurity: Mike Pittenger, VP of security
strategy at Black Duck Software, elaborated on
the point: “Once again, we see the importance of
having full visibility to all of the components used
in your software… this fire drill happens with
every new critical vulnerability, because the
vulnerability assessment tools have no
persistent knowledge of the applications we
build and the components used.”
Apache Struts Vulns Threatens Fortune
500 Data

6. "Easy" to Hack Apache Struts
Vulnerability CVE-2017-9805
via Black Duck blog (Mike Pittenger): There is a simpler
way to handle these incidents, and it's not new nor a secret. In
fact, the automotive industry solved this problem over one
hundred years ago… doing the same with software —
maintaining an accurate list of all components used in each
application—makes incident response much easier when
vulnerabilities like this are disclosed.

7. via Black Duck blog (Phil Odence): Copyleft
terms seemed pretty strange to many seasoned
attorneys familiar with commercial software
licenses when they first encountered the GPL,
but it is far from the weirdest license out there.
While the GPL has come to be reasonably well-
understood, a number of licenses on the lunatic
fringe will surprise and perhaps amuse.
Diving Deep into Wild & Wacky Open
Source Licenses

8. Court Ruling Adds New Power to Open Source Licenses
via IT Pro Windows: Any organization
using open source software should make
sure there is a strong open source policy
in place that dots the "I"s and crosses
the "T"s. Why? Because open source
licenses recently became even more
enforceable than they were already.

9. via Krebs on Security: I have long urged
consumers to assume that all of the personal
information jeopardized in this breach is already
compromised and for sale many times over in
the cybercrime underground (because it
demonstrably is for a significant portion of
Americans). One step in acting on that
assumption is placing a credit freeze on one’s
file with the three major credit bureaus and
with Innovis — a fourth bureau which runs credit
checks for many businesses but is not as widely
known as the big three.
Breach at Equifax May Impact 143M
Americans

10. A Cybersecurity Breach at Equifax Left Pretty
Much Everyone's Financial Data Vulnerable
via The Atlantic: For Americans who want to protect their
personal information, there is no way, in our current system, to do
so. On Thursday, Equifax, one of three major credit reporting
agencies, revealed that highly sensitive personal and financial
information for around 143 million U.S. consumers was
compromised in a cybersecurity breach that began in late spring.
There are only around 125 million households in the U.S.

11. via Equifax: Determine if your
personal information may have
been impacted by this incident.
See if You Were Affected by the Equifax
Cybersecurity Incident | Equifax

12. Are You an Easy Hacking Target?
Cybersecurity Tips for Small Business
via The Guardian: A total of 61% of all data breaches this year
occurred in businesses with fewer than 1,000 employees, according
to the Verizon Data Breach Investigations Report. What’s more, new
European regulation aimed at protecting personal data (GDPR)
comes into force next year, and could result in fines of between 2%
and 4% of annual turnover, or €20m (£18m), whichever is greater. Not
only have hacks increased in frequency, but the impact on SMEs is
getting much bigger.

13. via Black Duck blog (David Znidarsic, Founder & President of
Stairstep Consulting): Open source management best practices
require organizations to know the open source in their code in order to
reduce risks, tighten policies, and monitor and audit for compliance and
policy violations. Automating identification of all open source in use
allows development and license teams to quickly gain visibility into any
known open source security vulnerabilities as well as compliance
issues, define and enforce open source use and risk policies, and
continuously monitor for newly disclosed vulnerabilities.
Compliant? Sure, But With What?

14. German Election Voting Software Riddled
With Holes, Researchers Warn
via ZDNet: As national elections
loom, questions have surfaced about
the security of Germany's voting
results software.

15. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.