FILE-OTHER -- Snort detected traffic targeting vulnerabilities in a file type that does not require enough rule coverage to have its own category.
FILE-OTHER Jackson databind deserialization remote code execution attempt
This event is generated when an attacker attempts to send force the Java deserialization of a malicious JSON object.
Attempted User Privilege Gain
Looks for malicious Java classes to be deserialized
Ease of Attack:
Medium; information is publicly available, but it does require a) the right conditions and b) some exploit modification
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2017-15095A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
||Ease of Access||