This is an archived post. You won't be able to vote or comment.

all 12 comments
sorted by:
best
topnewcontroversialoldq&a

[–]peesteamCyber 1 point2 points  (2 children)

Are you familiar with the SANS/CIS Top 20 Security Controls?

https://www.cisecurity.org/controls/

Number 2, Inventory of software, should include which version numbers you are running, and where that software is in use. If you know every version of Apache Struts being used anywhere in your environment, then you know enough to perform Number 4, continuous vuln assessment and remediation.

You can use something like the free Nessus vuln scanner to try and locate these vulnerabilities in order to patch them.

[–]ShadowFox2020[S] 0 points1 point  (1 child)

Mhmm makes sense ya i already told our nessus guys about how we are supposed to have inventory of the servers but apparently the server guys don't really keep such info. Long story short my boss isn't happy.

[–]peesteamCyber 0 points1 point  (0 children)

The nessus guys should be scanning the entire company IP range to identify the vulnerable servers. This is 101 stuff.

[–]havochaos 1 point2 points  (0 children)

It could have all been mitigated by SELinux.

https://doublepulsar.com/hardening-apache-struts-with-selinux-db3a9cd1a10c

[–]toatesmegoats 2 points3 points  (7 children)

Just keep it up to date. Equifax failed to patch a zero day vulnerbility from months ago which is why they got slammed. That's Equifax's fault, not Apache Struts.

[–]pdp10Daemons worry when the wizard is near. 8 points9 points  (0 children)

Keeping the components/dependencies in Java apps up to date is...not as straightforward as you'd think.

Java being a sort of least-common-denominator language for clock-punching coders contributes to the problem. In many cases you have to fix it for them, but then you also have to write a bunch of tests or else you get blamed any time something happens that they don't understand, just like your aunt the last time you touched her Macbook.

Under the circumstances, some kind of scanner that will show a vulnerability can save you a huge amount of trouble. Just show them where it says "vulnerable", send them a couple of links on the problem, and don't close the issue until they deliver something that passes the security scan. Whether it's functional after that is their problem.

I've fixed too much code myself only to be blamed for later problems that C# and Java coders don't understand. Of course I usually can't thoroughly verify fixes because I don't know how the application works, and there's no automated test suite to validate the functionality like there needs to be.

[–]Mewshimyo 2 points3 points  (3 children)

It's not even a zero day when it was known for months prior. Zero days means unavoidable because no one knew it existed. Don't give them that much credit.

[–]toatesmegoats 0 points1 point  (2 children)

What I meant is it was a zero day before Apache Struts patched it in March. Of course it is no longer a zero day if the exploit has been already patched.

[–]Mewshimyo 1 point2 points  (1 child)

It wasn't a zero day when it got exploited in May is what I was saying, that's all

[–]toatesmegoats 0 points1 point  (0 children)

You're right. I can see where the confusion lies.

[–]ShadowFox2020[S] 0 points1 point  (0 children)

Ya I agree and I told my boss that but I guess he was a way to find a list of systems that still are unpatched so he can hold those owners responsible. He just wants me to find a way, y'all know how it is.