sunhux
asked on
Will DB encryption protect against Struts CVE2017-9805 & future unknown vulnerabilities
Referring to above Struts vulnerability, would an encrypted DB have helped
prevent this data leak/loss?
Does this Equifax & AXA dl come about by issuing an sql command?
There could be other unknown vulnerabilities yet to be discovered so
wud DB encryption had helped?
prevent this data leak/loss?
Does this Equifax & AXA dl come about by issuing an sql command?
There could be other unknown vulnerabilities yet to be discovered so
wud DB encryption had helped?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Or let me quote another analogy :
if my PC's HDD is encrypted (with a PBA password required), hackers
can't access my powered down PC's HDD physically but if the PC
is powered up & there's a remote execution vulnerability in my
OS, hackers can still get data out of my encrypted HDD via
this remote execution vulnerability : is this a fair analogy?
if my PC's HDD is encrypted (with a PBA password required), hackers
can't access my powered down PC's HDD physically but if the PC
is powered up & there's a remote execution vulnerability in my
OS, hackers can still get data out of my encrypted HDD via
this remote execution vulnerability : is this a fair analogy?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm still trying to understand what Struts do : it's in a web server sending
query to the DB? If so, I guess a query that appears legit sent from web
server to the DB will still return the required data from the DB, resulting
in data loss/leaks (like Equifax & AXA's case) ?
query to the DB? If so, I guess a query that appears legit sent from web
server to the DB will still return the required data from the DB, resulting
in data loss/leaks (like Equifax & AXA's case) ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
apply the Struts patch or with DB encryption in place, we don't need to
anymore?
We have NIDS & HIPS : they regularly release signatures for Struts
vulns & signatures don't require reboots/restarts for their protection
to take effect: would applying signature suffice (ie no need for patch)?