If your struts fail in your car, you WILL feel it.

The same may likely be true for enterprises running intranet Java apps on Apache Struts.

What's the impact?

Remember Equifax? By end of 2017 the breach cost totaled nearly $439M.1 That's the last time Struts was in the news in such a high-profile way.2 Since then, Struts-specific ransomware and cryptominers have run rampant worldwide. Worst of all, rapidly exploited vulnerabilities in open-source Apache Struts software gave incident responders little time to react.

The impact goes beyond high-traffic websites (e.g. Equifax, Experian, AnnualCreditReport.com). Struts drives apps inside the enterprise. Managing Struts in the intranet is a big deal for defense, critical infrastructure and financial services. Flaws in Struts prompt major alerts from the world's CERTs.

What's the technical situation?

Admins must remain vigilant: there's no auto-update for Struts, and attackers rapidly reverse-engineer new patches. Struts is -neutral and supports a vast array of bespoke enterprise intranet applications. And since these apps vary in configuration and criticality, they're tough to manage.

Struts apps can be found with quirky configurations and in hard-to-scan or virtualized instances. As part of the web server stack, Struts can appear when new apps are plug-and-played on the network, delivered by contractors, or used in transient and ephemeral tools. Updating Struts-powered apps is not as simple as patching to the latest version, but rather often will require a code update, recompilation, QA and jumping through flaming devops hoops.

Managing Struts in the extended enterprise

There are multiple layers to managing Struts in the extended enterprise. While ForeScout CounterACT® may not typically be used to monitor the extranet (or automatically segment web servers off-network), it still has a crucial role in responding to Struts as an intranet target.

CounterACT security orchestration can trigger continuous vulnerability assessment. Endpoints can be scanned when they try to join the network and at regular intervals. Using ForeScout Extended Modules for Rapid7, Qualys and Tenable. These dynamic scanners can be used in conjunction with CounterACT's asset discovery. On managed devices, CounterACT can be used to identify Struts. Struts may be identified as running services in Linux and Windows environments. Limited NMAP scans may be orchestrated in environments that can support it. For example, some Apache Struts vulnerabilities are covered by community NMAP scripts that can plug-and-play across CounterACT deployments.

Beyond Struts: Securing content management systems on nginx and Microsoft IIS

Struts isn't the only part of the web server stack with a history of suddenly exploited issues. IIS and nginx have had their issues, and content management systems have a long history of input validation and injection problems. However, many of the same defensive measures apply. Coupling asset discovery to dynamic scanners helps manage recurring issues in intranet web apps like Drupal (e.g. Drupalgeddon 1, 2 and 3), Joomla, TYPO3 and enterprise wikis.

