FILE-JAVA -- Snort has detected traffic targeting vulnerabilities that are exploited in java files such as .class or .jar.
FILE-JAVA IBM Java invokeWithClassLoaders method call attempt
This event is generated when a user attempts to download a .class file that contains a call to the invokeWithClassLoaders() method, which can be used to escape vulnerable IBM Java sandboxes.
Attempted User Privilege Gain
Rule checks for a .class containing a call to invokeWithClassLoaders() from the com.ibm.rmi.util.ProxyUtil class.
Ease of Attack:
What To Look For
No public information
Known false positives, with the described conditions
Any .class file containing the method will be detected.
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2012-4820Unspecified vulnerability in the JRE component in IBM Java 7 SR2 and earlier, Java 6.0.1 SR3 and earlier, Java 6 SR11 and earlier, Java 5 SR14 and earlier, and Java 142 SR13 FP13 and earlier; as used in IBM Rational Host On-Demand, Rational Change, Tivoli Monitoring, Smart Analytics System 5600, Tivoli Remote Control 5.1.2, WebSphere Real Time, Lotus Notes & Domino, Tivoli Storage Productivity Center, and Service Deliver Manager; and other products from other vendors such as Red Hat, when running under a security manager, allows remote attackers to gain privileges by modifying or removing the security manager via vectors related to "insecure use of the java.lang.reflect.Method invoke() method."
||Ease of Access||