Intermediate Mitigation Measures May be Required for Apache Struts Vulnerabilities

March 22, 2017 | Carole Fennelly, CISM

containment of apache struts 2 vulenrability

The general consensus among InfoSec professionals is to patch critical vulnerabilities such as Apache Struts as soon as a patch is made available by the vendor. So why mightn’t your company simply patch Apache Struts and go on your merry way?

Not all events can be remediated immediately. Very often, intermediate mitigation measures must be taken to lower the risk of exploit and protect assets very quickly. For example, The Apache Struts vulnerability posed an immediate threat to webservers where the attacker could remotely execute arbitrary commands on the webserver. This is a very serious vulnerability with a high risk of exploitation and a large number of active exploits in the wild.

Apache made a patch available for the vulnerability and the solution would seem to be just applying the patch. However, this is not as simple a matter to execute as it may appear. Apache Struts is a framework for building Servlet/JSP web applications and is embedded in web applications. That means the development team in your organization has to update the library and rebuild their application. It then has to be deployed to QA for regression testing before being pushed to production. This requires time and change windows.

In addition, if they are running older versions of Apache Struts (and not merely one version before the vulnerability), they may face even more significant development and test time, further delaying the organization’s ability to patch the vulnerability.

An interim mitigation measure is to deploy signatures to an Intrusion Prevention System (IPS), thereby blocking the exploit traffic. Test the IPS rules by monitoring network traffic to ensure the malicious traffic is blocked until the system can be safely patched.


Containment measures such as this have a very short shelf life as attackers have access to these tools and can change the payload to circumvent the signature. It is critical to monitor traffic to ensure the IPS rule is correctly applied and is not being circumvented until a more permanent fix can be applied.

Here’s the OTX Pulse relating to the vulnerability:


Carole Fennelly, CISM

About the Author: Carole Fennelly, CISM, AlienVault

Carole Fennelly is a freelance Information Security Management consultant in the Greater NYC area. Carole has over 35 years of hands-on experience in the Information Security and Technology fields and has authored several industry-standard security benchmarks based on her extensive experience in operating system platforms and security practices. As a consultant, Carole has defined security strategies and developed policies and procedures to implement strategies at numerous Fortune 500 clients in the NYC area. Carole's ability to analyze technology initiatives and its implications for business requirements are complemented by her strong technical writing skills.

Read more posts from Carole Fennelly, CISM ›


Get price Free trial