Potential CVE-2022-21587 Exploitation Attempt

calendar Jan 1, 2024 · attack.initial_access attack.t1190 cve.2022.21587 detection.emerging_threats  ·
Share on: linkedin copy

Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.

Sigma rule (View on GitHub)

 1title: Potential CVE-2022-21587 Exploitation Attempt
 2id: d033cb8a-8669-4a8e-a974-48d4185a8503
 3status: test
 4description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
 5references:
 6    - https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/
 7    - https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis
 8    - https://github.com/hieuminhnv/CVE-2022-21587-POC
 9    - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
10author: Isa Almannaei
11date: 2023/02/13
12tags:
13    - attack.initial_access
14    - attack.t1190
15    - cve.2022.21587
16    - detection.emerging_threats
17logsource:
18    category: webserver
19detection:
20    selection:
21        cs-method: 'POST'
22        cs-uri-query|contains:
23            - '/OA_HTML/BneViewerXMLService?bne:uueupload=TRUE'
24            - '/OA_HTML/BneUploaderService?bne:uueupload=TRUE'
25            - '/OA_HTML/BneDownloadService?bne:uueupload=TRUE'
26            - '/OA_HTML/BneOfflineLOVService?bne:uueupload=TRUE'
27    condition: selection
28falsepositives:
29    - Vulnerability Scanners
30level: high

References

Related rules

to-top