Potential OGNL Injection Exploitation In JVM Based Application

 1title: Potential OGNL Injection Exploitation In JVM Based Application
 2id: 4d0af518-828e-4a04-a751-a7d03f3046ad
 3status: test
 4description: |
 5    Detects potential OGNL Injection exploitation, which may lead to RCE.
 6    OGNL is an expression language that is supported in many JVM based systems.
 7    OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)    
 8references:
 9    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
10author: Moti Harmats
11date: 2023/02/11
12tags:
13    - attack.initial_access
14    - attack.t1190
15    - cve.2017.5638
16    - cve.2022.26134
17logsource:
18    category: application
19    product: jvm
20    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
21detection:
22    keywords:
23        - 'org.apache.commons.ognl.OgnlException'
24        - 'ExpressionSyntaxException'
25    condition: keywords
26falsepositives:
27    - Application bugs
28level: high

References

• Threat and Vulnerability Hunting with Application Server Error Logs

  

  IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c

  
  Read More

Related rules

• Java Payload Strings
• Atlassian Confluence CVE-2022-26134
• Potential CVE-2022-21587 Exploitation Attempt
• Potential CVE-2023-23752 Exploitation Attempt
• Potential JNDI Injection Exploitation In JVM Based Application