Endpoint Protection

There is a fresh vulnerability out for Apache. CVE-2017-9805

While my SEPM is not internet facing, I would like to know how people are securing their SEPM from Apache vulnerabilities. This is the second one this year.
There does not seem to be an NTP rule out for this yet.

For any external/DMZ facing SEPM, firewall off the web service ports and only allow what's needed, which should be client communication.

Hi cable mite,

The Apache software built into the SEPM is a custom build, usually hardened down to do just what is needed and not open to anything else. If Symantec's internal reasearchers determine there is a danger, a new version of the SEPM will be released to keep the organization safe.  There's no need to try to manually upgrade or patch the Apache software built into the SEPM.

Security Advisories Relating to Symantec Products
https://www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory

For other Apache software, best practice calls for patching as soon as vendors make patches available!  One is available for CVE-2017-9805 now.

Looks like the NTP/IPS rule for CVE-2017-9805 was released on the 7th: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2017&suid=SEP_Jaguar-SU1610-20170907.011

LiveUpdate Def ID 20170907.011 should have you covered.

Thanks sc0rh!

The latest IPS defs, "Symantec Endpoint Protection - Security Update 220" do indeed include:

Attack: Apache Struts CVE 2017 9805 2 https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30278