Potential CVE-2021-27905 Exploitation Attempt

Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.

Sigma rule (View on GitHub)

 1title: Potential CVE-2021-27905 Exploitation Attempt
 2id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
 3status: test
 4description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
 5references:
 6    - https://twitter.com/Al1ex4/status/1382981479727128580
 7    - https://twitter.com/sec715/status/1373472323538362371
 8    - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
 9    - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
10    - https://github.com/murataydemir/CVE-2021-27905
11author: '@gott_cyber'
12date: 2022-12-11
13modified: 2023-03-24
14tags:
15    - attack.initial-access
16    - attack.t1190
17    - cve.2021-27905
18    - detection.emerging-threats
19logsource:
20    category: webserver
21detection:
22    selection_request1:
23        cs-uri-query|contains|all:
24            - '/solr/'
25            - '/debug/dump?'
26            - 'param=ContentStream'
27        sc-status: 200
28    selection_request2:
29        cs-method: 'GET'
30        cs-uri-query|contains|all:
31            - '/solr/'
32            - 'command=fetchindex'
33            - 'masterUrl='
34        sc-status: 200
35    condition: 1 of selection_*
36falsepositives:
37    - Vulnerability Scanners
38level: medium

References

Related rules

to-top