I think the interesting part is that we still don’t know the exact vulnerability that allowed Equifax to be compromised. This statement mentions CVE-2017-9805 because that’s what was asserted elsewhere, but given the timeline, no part of CVE-2017-9805 would have been disclosed at the time of attack, meaning that the hackers would have had to discover the vulnerability independently.
Another Structs vulnerability that’s a decent candidate is CVE-2017-5638 [1], which allows injection of arbitrary commands via a crafted Content-Type header.
Using atomic transactions in Postgres to power an idempotent API
Haha. I hadn’t even noticed that I’d written it that way, but I guess that’s how I’ve internalized it. I just pushed a fix that’ll be visible as soon as the page expires out of CloudFront.
I think the interesting part is that we still don’t know the exact vulnerability that allowed Equifax to be compromised. This statement mentions CVE-2017-9805 because that’s what was asserted elsewhere, but given the timeline, no part of CVE-2017-9805 would have been disclosed at the time of attack, meaning that the hackers would have had to discover the vulnerability independently.
Another Structs vulnerability that’s a decent candidate is CVE-2017-5638 [1], which allows injection of arbitrary commands via a crafted
Content-Typeheader.[1] https://www.cvedetails.com/cve/CVE-2017-5638/
According to Matthew Bricker (Struts developer) it was CVE-2017-5638.
https://twitter.com/MatthewBricker/status/907617331555250176