Reply to post: Re: Typical problem of many large organizations

Missed patch caused Equifax data breach

Roland6 Silver badge

Re: Typical problem of many large organizations

This ignores the other factors in this...

Firstly, we have Apache, who reportedly fixed the vulnerability with the release of new code on 7-Mar-2017. What I found interesting was that the Apache announcement for this release contains the following:

This release addresses one potential security vulnerability:

Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser

Namely, no explicit mention of the CVE fixed in the release, making it relatively easy for a busy admin - with several dozen packages status monitor, to downgrade the update from must do to 'pending'. Which leads us to the first challenge: communicating important information to user organisations.

Secondly, we have the other problem of large interconnected IT systems. I suspect that Equifax like many organisations wasn't running the latest releases and were running a few releases behind, so fixing might require doing more than simply running a patch file and thus increase the need for design review, planning, testing etc. which in turn increases the time before the vulnerability is fixed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019