Three words that should strike fear into the hearts of anyone is remote code execution (RCE). If an attacker is able to execute an RCE exploit on a vulnerable system, it’s game over. Unfortunately for many organizations, the latest Apache Struts vulnerability falls squarely in this category. From an economics perspective, the market takes these types of flaws very seriously as bug bounty programs nearly always pay the most for RCE discoveries. Enterprises with large on-premise environments will likely struggle to patch this flaw quickly as they often lack accurate and centralized asset management systems (sometimes referred to CMDBs). Put simply: it's impossible to patch systems that organization are unaware of and its part of what happened with the Equifax breach in 2017.
Organizations largely operating in public cloud environments such as Amazon Web Services, Google Cloud or Microsoft Azure have an extreme advantage over their on-prem peers if they are taking advantage of the cloud providers APIs as part of their vulnerability management programs. These APIs provide a single channel for knowing precisely what systems are running in their cloud environments, in real-time and allow vulnerability scanners, such as Tenable.io, to get a real-time list of running assets. The vulnerability assessment can then be done quickly without wasting precious time scanning large IP ranges as is required in on-prem environments. Interestingly enough and despite this unique advantage, RedLock’s Cloud Security Intelligence team still found that nearly a quarter of organizations have hosts missing high-severity patches in their public cloud environments. This stems from the fact that organizations are still maturing their cloud security programs but are rapidly waking up to the visibility and control gap that exists as part of the shared security responsibility model.
RedLock customers can leverage the RedLock Cloud 360 platform to identify vulnerable hosts within their environments. One can easily create an alert policy, supported through our vulnerability management integrations with Amazon Inspector and Tenable.io. By ingesting these feeds in real-time and correlating them with host information, RedLock can identify any hosts that have been affected across Google, AWS and Microsoft clouds. For example, the following screenshot shows a RedLock query that is looking for hosts with the specific CVE from the Struts vulnerability and is receiving traffic from suspicious IP addresses.
RedLock Cloud 360 Detects Hosts That are Receiving Traffic From Suspicious IP Addresses and Vulnerable to the latest Apache Struts vulnerability
It only took 72 hours for Equifax to be initially breached with last years Struts2 vulnerability. Unfortunately, we anticipate seeing similar news in the coming months. IT and security teams would be wise to spend their time focused on nothing else over the next few days. We believe that cloud agnostic security tools such as the RedLock Cloud 360 Platform can help organizations stay ahead of attackers and many of our customers are already successfully doing this today.
Get a demo to see how RedLock can help you with: