If you’re going to place Apache Struts directly facing the internet, and with reachable sensitive data, here’s an idea.

Enable SELinux

This is the #1 thing almost every organisation seems to miss. Security Enhanced Linux is very simple to deploy — usually just one command — and it beefs up security on processes. Correctly deployed, it stops Tomcat accessing the system — so stops unknown exploits.

Let’s try different Struts exploits from the last year with an unpatched, vulnerable installation.

Let’s try it with CVE-2017–5638, used to own Equifax’s AI server. We’re running an install running as root as we’re also that silly.

Without SELinux:

$ python exploit.py http://127.0.0.1:8080/test/test.action "cat /etc/shadow"

CVE: 2017-5638 - Apache Struts2 S2-045

cmd: cat /etc/shadow

root:XXXXXX.::0:99999:7:::

Oh bums, it got owned.

With SELinux enabled:

$ python exploit.py http://127.0.0.1:8080/test/test.action "cat /etc/shadow"

CVE: 2017-5638 - Apache Struts2 S2-045

cmd: cat /etc/shadow

cat: /etc/shadow: Permission denied

Yay, we fail.

You can play with the SELinux policies to lock it down to further. There’s no reason for Tomcat to be running commands, for example.

I’ve tried this with all the Struts exploits over the past 12 months — the exploits didn’t work. It gives you valuable time to update your Struts installs.

SELinux is 19 years old and installed with Redhat and Fedora Linux, it just needs setting to enforcement mode. Considering — say — Experian spend big money on Splunk, Thycotic, Qualys and Sailpoint on their Struts servers, they might want to enable this free, two decade old feature.