SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.
SERVER-OTHER Apache Log4j SocketServer insecure deserialization remote code execution attempt
Remote code execution when deserializing data through SocketServer class.
This rule alerts when an attacker attempts to exploit a remote command execution vulnerability in Apache Log4j when deserializing untrusted data in SocketServer class.
No public information
No known false positives
Cisco Talos Intelligence Group
Tactic: Initial Access
Technique: Exploit Public-Facing Application
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
CVE-2019-17571Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. |
|