With news breaking on the use of an Apache Struts vulnerability in the recent Equifax breach, we thought we’d shed some light on Struts exploits from our perspective.
First and foremost: Our customers should know that no Sentinel appliances or servers within the Sentinel infrastructure are affected by these vulnerabilities. And, more importantly, our customers’ networks have been protected against these Struts exploits since they were made public.
Struts vulnerabilities are nothing new – we’ve been witnessing Struts-related exploits for years. That said, there’s definitely been an uptick in alerts coinciding with the public release of CVE-2017-5638 in March and the more recent vulnerability revealed in September. In fact, you can see from the timeline below that over 50% of Struts alerts tripped on Sentinels so far in 2017 occurred in March after the release of CVE-2017-5638, with another 20% tripping since the September vulnerability was released.
In addition, these attempts have been pretty widespread, with 20% of our customer base logging a Struts-related alert in 2017.
Many others with a lot more information than us will have stronger opinions about this breach over the next few weeks, but we will say this: Good ol’ Layered Security in the form of an up-to-date IPS, a dependable Web Application Firewall (WAF), and/or a solid procedure around patching server software would have gone a long way in preventing this breach and others like it.