SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP Apache Struts OGNL expression injection attempt
This event is generated when an OGNL injection attempt is detected.
Possible remote code execution
This vulnerability exists when a web server passes raw user input to an a method that interprets the input as an OGNL expression. This rule detects OGNL injection attempts that try to execute system commands using the Java runtime by searching for "getRuntime" followed by "exec" in any requests to an Apache Struts action page.
Ease of Attack:
Medium, publicly available exploits for a number of vulnerable web applications.
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2017-9791The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
||Ease of Access||