Apache Struts Statement on Equifax Security Breach

The Apache Struts project has put out astatement on the possible role played by a Struts vulnerability in themassive Equifax data breach. "Regarding the assertion thatespecially CVE-2017-9805 is a nine year old security flaw, one has tounderstand that there is a huge difference between detecting a flaw afternine years and knowing about a flaw for several years. If the latter wasthe case, the team would have had a hard time to provide a good answer whythey did not fix this earlier. But this was actually not the case here --wewere notified just recently on how a certain piece of code can be misused,and we fixed this ASAP. What we saw here is common software engineeringbusiness --people write code for achieving a desired function, but may notbe aware of undesired side-effects. Once this awareness is reached, we aswell as hopefully all other library and framework maintainers put highefforts into removing the side-effects as soon as possible. It's probablyfair to say that we met this goal pretty well in case ofCVE-2017-9805."