undefined | Better HN

0 pointsg0510518y ago0 comments

It was also announced by Equifax themselves so of course it's common knowledge. I'm not sure of your point here.

https://investor.equifax.com/news-and-events/news/2017/09-15...

"Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online."

0 comments

2 comments · 1 top-level

spathi_fwiffo8y ago· 1 in thread

He already made his point: "Struts had provided a remedy for the fault, months prior."

According to your quote, they patched only after they were the victims of a breach; they should have been pro-active and dealt with the issue as soon as the vulnerability was made public.

g051051OP8y ago

You're assuming that they took no action, as opposed to not being 100% effective in their detection and coverage. There's no evidence that they simply ignored it. If they're using Struts, all they had to do is miss one instance of the wrong jar somewhere in their software ecosystem.

j / k navigate · click thread line to collapse