On 19 September 2017 The Apache® Software Foundation ("ASF") http://apache.org/ was contacted by the US House Committee on Energy and Commerce to answer questions in preparation for their hearing on 3 October regarding the Equifax data breach.
The official response from the ASF follows.
= = =
RESPONSES TO QUESTIONS FROM
US HOUSE COMMITTEE ON ENERGY AND COMMERCE
We think that it is important to provide background about The Apache Software Foundation ("ASF") and its projects as the ASF is very different from conventional for-profit software companies.
– interacts with the users of its software and provides patches in a different manner than such conventional for-profit software companies;
– is a not-for-profit foundation qualified under Section 501(c)(3) of the IRS regulations;
– develops, shepherds, and incubates hundreds of Open Source software projects that are run solely by volunteers, with some Foundation-level operations and services (such as infrastructure, administration, and marketing) provided by paid staff;
– provides all of its Open Source software free of charge to the public at-large;
– is financially supported by donations from corporations and individuals;
– is vendor neutral: participation is limited to individuals, irrespective of affiliation or employment status.
Code for Apache projects is written by more than 6,000 volunteer individuals and employees of corporations across six continents and contributed to the ASF at no cost. The ASF maintains records of contributors solely through its list of "contributor license agreements". All individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. The ASF has confirmed that it has not received a CCLA from Equifax, nor has it received code contributions by Equifax employees (although the ASF cannot determine whether an individual contributor is affiliated with Equifax).
Each Apache software project is managed by a Project Management Committee ("PMC"), a self-selected team of active contributors to the project. A PMC guides the project’s day-to-day operations, including community development and product releases. The PMC oversees the software development for the projects, including any patches to those projects, which is available for anyone for download from the apache.org website and numerous global mirror sites. Releases of code for Apache
are managed by the PMC, who distinguish between project software releases and patches published to our issue trackers. New releases that include patches are created, voted on by the PMC, and made available for download. The ASF then alerts the community to the patches. Unlike conventional for-profit software companies, the ASF does not provide the patches directly to the users of its software projects.
The ASF does not provide conventional for-profit maintenance contracts or support the way a conventional for-profit software company would because Apache is a charitable organization composed of volunteers. The ASF provides its projects the facility to maintain numerous mailing lists to share with their developer and user communities project-related news and updates, technical discussions, troubleshooting, recommendations, and assistance in an open forum. Some conventional for-profit software companies package software produced by Apache in order to provide more comprehensive support or provide consulting support services.
RESPONSES TO QUESTIONS FROM US HOUSE COMMITTEE ON ENERGY AND COMMERCE:
1) When did the ASF learn of the vulnerability that became CVE-2017-5638?
On 14 February 2017, the Apache Struts PMC first received report of the vulnerability which became CVE-2017-5638. The ASF does not have direct information about whether the CVE-2017-5638 vulnerability caused the Equifax hack.
2) How did the ASF learn of it?
The Apache Struts PMC received a report via its security mailing list from Nike Zheng about the vulnerability.
3) When did the ASF make a patch available for CVE-2017-5638?
ASF provided a patch for the CVE-2017-5638 bug on 7 March 2017, the same day on which it was reported on its blog. On 7 March 2017, the Apache Struts PMC officially posted an announcement about the vulnerability, along with two Struts releases that fixed it
4) Did the Foundation provide guidance on how the patch/update should be installed (my understanding is that it was a bit more complicated than a traditional patch)?
The patch was released as part of a full release of the Apache Struts project, which means users had to upgrade to the latest version, which is the simplest way of implementing the patch. The Apache Struts PMC also provided other options, including information about using different implementation of the Multipart parser or filtering out suspicious requests, and other options to implement the patch http://struts.apache.org/docs/s2-045.html . In addition, on 20 March 2017 the Apache Struts PMC released two custom plug-ins to resolve the vulnerability without upgrading to the latest version
5) The ASF’s software is all open-source, as we understand it:
Yes: all ASF software projects are provided under the Apache Software License, version 2, an Open Source Software (OSS) license.
For large organizations like Equifax that rely on Apache’s OSS, do they:
i. Provide financial assistance, such as donations, to help pay for maintenance of the codebase?
While financial assistance is not required for using ASF software projects, some corporations choose to provide financial assistance through donations. However the number of companies that provide donations is a very small percentage of the total corporate users of ASF projects.
Donations to ASF go to a general fund and are not targeted for the development, maintenance, or influence of particular projects.
ii. Provide "volunteers" who help craft/review/patch code?
Some corporations ask that employees contribute to certain projects, but, as noted above, the number of companies that have their employees contribute to ASF projects is a very small percentage of the users of ASF projects.
iii. Provide other assistance to help maintain the availability and/or quality of the OSS?
Some corporations provide products, sales, and support services for Apache projects. These organizations have no direct relationship with the ASF. As noted above, the number of companies that have their employees contribute to ASF projects is a very small percentage of the corporate users of ASF projects.
# # #