FILE-JAVA -- Snort has detected traffic targeting vulnerabilities that are exploited in java files such as .class or .jar.
FILE-JAVA IBM Java invokeWithPrivilege method call attempt
This event is generated when a user attempts to download a .class file that contains a call to the invokeWithClassLoaders() method, which can be used to escape vulnerable IBM Java sandboxes. Impact: Attempted User Privilege Gain Details: Rule checks for a .class containing a call to invokeWithClassLoaders() from the com.ibm.rmi.util.ProxyUtil class. Ease of Attack: Hard
This event is generated when a user attempts to download a .class file that contains a call to the invokeWithClassLoaders() method, which can be used to escape vulnerable IBM Java sandboxes.
No public information
Known false positives, with the described conditions
Any .class file containing the method will be detected.
Cisco Talos Intelligence Group
No rule groups
Insecure Deserialization relates to web application security. Applications turn an object into data through serialization; the reverse of that process, deserialization, can be vulnerable to attacks when the application trusts the data that is being deserialized. Serialized data is machine readable and not encrypted; serialized user-supplied data should not be trusted. Deserialization attacks can lead to remote code execution.
CVE-2012-4820Unspecified vulnerability in the JRE component in IBM Java 7 SR2 and earlier, Java 6.0.1 SR3 and earlier, Java 6 SR11 and earlier, Java 5 SR14 and earlier, and Java 142 SR13 FP13 and earlier; as used in IBM Rational Host On-Demand, Rational Change, Tivoli Monitoring, Smart Analytics System 5600, Tivoli Remote Control 5.1.2, WebSphere Real Time, Lotus Notes & Domino, Tivoli Storage Productivity Center, and Service Deliver Manager; and other products from other vendors such as Red Hat, when running under a security manager, allows remote attackers to gain privileges by modifying or removing the security manager via vectors related to "insecure use of the java.lang.reflect.Method invoke() method."
Tactic: Initial Access
Technique: Spearphishing Attachment
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org