Laksh Raghavan of PayPal has written about how his company managed their response to a critical Java open source component vulnerability in one of their applications. Similar to the vulnerable Struts2 component implicated in the Equifax breach of 143 million consumer records -- and more recently in the Zealot campaign -- the vulnerability at PayPal would allow for the most critical form of software vulnerability: remote code execution.
Laksh described how their team discovered the vulnerability through an alert originating from their bug bounty program. He then addressed how the team remediated the issue at scale, including short- and long-term efforts. Critical to their success and speed of remediation were code repositories, automated application analysis, and prioritization of fixes.
The first thing they did was to take an inventory of their applications to assess which ones used the vulnerable component. Laksh commented:
He then recommended the following remediation steps specific to their use of the vulnerable commons collection component, but application to many vulnerable components:
While we can't turn back time on the Equifax breach, we can learn from others who performed successful discovery and remediation of their vulnerable components at scale.
Readers interested in the full PayPal remediation process can read Laksh's original blog here.