Hardening Apache Struts with SELinux

Kevin Beaumont
DoublePulsar
Published in
2 min readSep 19, 2017

If you’re going to place Apache Struts directly facing the internet, and with reachable sensitive data, here’s an idea.

Enable SELinux

This is the #1 thing almost every organisation seems to miss. Security Enhanced Linux is very simple to deploy — usually just one command — and it beefs up security on processes. Correctly deployed, it stops Tomcat accessing the system — so stops unknown exploits.

Let’s try different Struts exploits from the last year with an unpatched, vulnerable installation.

Let’s try it with CVE-2017–5638, used to own Equifax’s AI server. We’re running an install running as root as we’re also that silly.

Without SELinux:

$ python exploit.py http://127.0.0.1:8080/test/test.action "cat /etc/shadow"
CVE: 2017-5638 - Apache Struts2 S2-045
cmd: cat /etc/shadow
root:XXXXXX.::0:99999:7:::

Oh bums, it got owned.

With SELinux enabled:

$ python exploit.py http://127.0.0.1:8080/test/test.action "cat /etc/shadow"
CVE: 2017-5638 - Apache Struts2 S2-045
cmd: cat /etc/shadow
cat: /etc/shadow: Permission denied

Yay, we fail.

You can play with the SELinux policies to lock it down to further. There’s no reason for Tomcat to be running commands, for example.

I’ve tried this with all the Struts exploits over the past 12 months — the exploits didn’t work. It gives you valuable time to update your Struts installs.

SELinux is 19 years old and installed with Redhat and Fedora Linux, it just needs setting to enforcement mode. Considering — say — Experian spend big money on Splunk, Thycotic, Qualys and Sailpoint on their Struts servers, they might want to enable this free, two decade old feature.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Published in DoublePulsar

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the author alone, not their employer.

Written by Kevin Beaumont

Everything here is my personal work and opinions.

Responses (3)

What are your thoughts?