LAST UPDATED March 18, 2022
Last week, the Apache Software Foundation announced a new Apache Struts vulnerability (CVE-2018-11776) that looks just as bad as the one that took down Equifax last fall. When exploited, this vulnerability allows an attacker remote access of servers running an un-patched version of Struts (2.3 to 2.3.34 or 2.5 to 2.5.17). Thousands of companies running Struts were now potentially facing a serious threat to their systems. Those organizations without a WAF (Web Application Firewall) in place or those leveraging one with outdated signatures may be at risk of compromised systems and exposed data.
ThreatX customers were protected hours after exploit code for the vulnerability was released, with no work or additional effort required on their part. Our customers had the luxury to sit back, relax, and start testing the patch for Apache Struts at their leisure. We’ll explain more about our approach below.
If you are not a ThreatX customer, hopefully you are among those that have a WAF in blocking mode and have a signature in place or method to get it deployed. If you’re not confident in your WAF provider’s signature updates, you may want to write the signature yourself. If you don’t and you are still running a vulnerable version of Apache Struts, forget change control or testing”.PATCH NOW! Alright, I’m exaggerating, but it’s imperative that you enact your emergency patch procedures as the attack is in the wild and automated scanning for it has started.
If you can’t get a WAF deployed and are unable to upgrade Struts blame your compromise on one engineer who failed to apply an update.
Details
The initial vulnerability was announced on August 22nd but lacked exploit or PoC (Proof of Concept) code with sufficient detail to begin testing against our progressive behavioral risk analysis engine. Shortly after announcement, the ThreatX SOC was made aware of a working PoC of the exploit published on GitHub and began analysis and testing to determine if ThreatX customers would already be protected from the attack by our risk analysis engine. How?
- We deployed a unique rule to ensure this exploit would be immediately blocked after determining the existing risk engine might allow an unacceptable number of exploitation attempts through before automatically blocking the traffic.
- Within 3 hours we had written, tested, and deployed the rule to all affected customers.
- ThreatX customers running Apache Struts didn’t have to take any action to be protected.
The ThreatX WAF can be spun up in minutes without requiring time from your development team to be integrated with your web application. ThreatX is deployed in secure docker containers either in our cloud, your cloud, or on-premises, which enables us to bring new applications online quickly. As these container deployments can be fully automated and configuration changes scripted, ThreatX can easily work with your unique devops model.
The ThreatX Value
This vulnerability is obviously not the first or the last of its kind — we have seen many and we will see many more. Companies must be vigilant to look for any new attacks and be react quickly to protect themselves. In addition to ThreatX’s automated, behavior-based system that learns from previous attacks, the ThreatX SOC regularly publishes updated behavioral signatures to detect web-based attacks whether they be web application, web server, web application framework or API. Our team tests and validates new vulnerabilities as they are identified — if we don’t automatically block the exploit in an acceptable amount of time, we can write, test, and deploy within hours.
All of this comes as part of our service that can be configured within minutes. Simply point your DNS to ThreatX and the advanced analytics will automatically fingerprint your site and differentiate legitimate versus suspicious traffic. No complicated integrations, no need to take time away from your development team, no dedicated WAF experts on your team required, and constantly updated security to protect against the known and unknown threats. In our cloud or yours in minutes. Give us a call.