[this announcement is available online at https://s.apache.org/rjmv ]
On 19 September 2017 The Apache® Software Foundation ("ASF")
http://apache.org/ was contacted by the US House Committee on Energy and
Commerce to answer questions in preparation for their hearing on 3
October regarding the Equifax data breach.
The official response from the ASF follows.
= = =
[ASF LOGO]
RESPONSES TO QUESTIONS FROM
US HOUSE COMMITTEE ON ENERGY AND COMMERCE
BACKGROUND:
We think that it is important to provide background about The Apache
Software Foundation ("ASF") and its projects as the ASF is very
different from conventional for-profit software companies.
The ASF:
- interacts with the users of its software and provides patches in a
different manner than such conventional for-profit software companies;
- is a not-for-profit foundation qualified under Section 501(c)(3) of
the IRS regulations;
- develops, shepherds, and incubates hundreds of Open Source software
projects that are run solely by volunteers, with some Foundation-level
operations and services (such as infrastructure, administration, and
marketing) provided by paid staff;
- provides all of its Open Source software free of charge to the public
at-large;
- is financially supported by donations from corporations and
individuals;
- is vendor neutral: participation is limited to individuals,
irrespective of affiliation or employment status.
Code for Apache projects is written by more than 6,000 volunteer
individuals and employees of corporations across six continents and
contributed to the ASF at no cost. The ASF maintains records of
contributors solely through its list of "contributor license
agreements". All individuals who are granted write access to the Apache
repositories must submit an Individual Contributor License Agreement
(ICLA). Corporations that have assigned employees to work on Apache
projects as part of an employment agreement may sign a Corporate CLA
(CCLA) for contributing intellectual property via the corporation. The
ASF has confirmed that it has not received a CCLA from Equifax, nor has
it received code contributions by Equifax employees (although the ASF
cannot determine whether an individual contributor is affiliated with
Equifax).
Each Apache software project is managed by a Project Management
Committee ("PMC"), a self-selected team of active contributors to the
project. A PMC guides the project's day-to-day operations, including
community development and product releases. The PMC oversees the
software development for the projects, including any patches to those
projects, which is available for anyone for download from the apache.org
website and numerous global mirror sites. Releases of code for Apache
are managed by the PMC, who distinguish between project software
releases and patches published to our issue trackers. New releases that
include patches are created, voted on by the PMC, and made available for
download. The ASF then alerts the community to the patches. Unlike
conventional for-profit software companies, the ASF does not provide the
patches directly to the users of its software projects.
The ASF does not provide conventional for-profit maintenance contracts
or support the way a conventional for-profit software company would
because Apache is a charitable organization composed of volunteers. The
ASF provides its projects the facility to maintain numerous mailing
lists to share with their developer and user communities project-related
news and updates, technical discussions, troubleshooting,
recommendations, and assistance in an open forum. Some conventional
for-profit software companies package software produced by Apache in
order to provide more comprehensive support or provide consulting
support services.
RESPONSES TO QUESTIONS FROM US HOUSE COMMITTEE ON ENERGY AND COMMERCE:
1) When did the ASF learn of the vulnerability that became
CVE-2017-5638?
On 14 February 2017, the Apache Struts PMC first received report of the
vulnerability which became CVE-2017-5638. The ASF does not have direct
information about whether the CVE-2017-5638 vulnerability caused the
Equifax hack.
2) How did the ASF learn of it?
The Apache Struts PMC received a report via its security mailing list
from Nike Zheng about the vulnerability.
3) When did the ASF make a patch available for CVE-2017-5638?
ASF provided a patch for the CVE-2017-5638 bug on 7 March 2017, the same
day on which it was reported on its blog. On 7 March 2017, the Apache
Struts PMC officially posted an announcement about the vulnerability,
along with two Struts releases that fixed it
http://struts.apache.org/announce.html#a20170307
http://struts.apache.org/announce.html#a20170307-2
4) Did the Foundation provide guidance on how the patch/update should be
installed (my understanding is that it was a bit more complicated than a
traditional patch)?
The patch was released as part of a full release of the Apache Struts
project, which means users had to upgrade to the latest version, which
is the simplest way of implementing the patch. The Apache Struts PMC
also provided other options, including information about using different
implementation of the Multipart parser or filtering out suspicious
requests, and other options to implement the patch
http://struts.apache.org/docs/s2-045.html . In addition, on 20 March
2017 the Apache Struts PMC released two custom plug-ins to resolve the
vulnerability without upgrading to the latest version
http://struts.apache.org/announce.html#a20170320
5) The ASF's software is all open-source, as we understand it:
Yes: all ASF software projects are provided under the Apache Software
License, version 2, an Open Source Software (OSS) license.
For large organizations like Equifax that rely on Apache’s OSS, do they:
i. Provide financial assistance, such as donations, to help pay for
maintenance of the codebase?
While financial assistance is not required for using ASF software
projects, some corporations choose to provide financial assistance
through donations. However the number of companies that provide
donations is a very small percentage of the total corporate users of ASF
projects.
Donations to ASF go to a general fund and are not targeted for the
development, maintenance, or influence of particular projects.
ii. Provide "volunteers" who help craft/review/patch code?
Some corporations ask that employees contribute to certain projects,
but, as noted above, the number of companies that have their employees
contribute to ASF projects is a very small percentage of the users of
ASF projects.
iii. Provide other assistance to help maintain the availability
and/or quality of the OSS?
Some corporations provide products, sales, and support services for
Apache projects. These organizations have no direct relationship with
the ASF. As noted above, the number of companies that have their
employees contribute to ASF projects is a very small percentage of the
corporate users of ASF projects.
# # #
NOTE: you are receiving this message because you are subscribed to the
announce@apache.org distribution list. To unsubscribe, send email from
the recipient account to announce-unsubscr...@apache.org with the word
"Unsubscribe" in the subject line.
