Rule Category

POLICY-OTHER --

Alert Message

POLICY-OTHER Apache OFBiz EntitySQLProcessor arbitrary SQL command execution attempt

Rule Explanation

This rule looks for HTTP requests sent to the "EntitySQLProcessor" endpoint in Apache OFBiz web applications that contain arbitrary SQL commands.

What To Look For

This rule fires on attempts to invoke the "EntitySQLProcessor" endpoint in Apache OFBiz web applications. This endpoint allows for the execution of arbitrary SQL commands. Before the patch for CVE-2024-38856, this endpoint did not require any authentication.

Known Usage

Public information/Proof of Concept available

False Positives

Known false positives, with the described conditions

This rule alerts on all attempts to execute arbitrary SQL commands via the "sqlCommand" parameter via the "/EntitySQLProcessor" endpoint on Apache OFBiz web applications.

Contributors

Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

Rule Categories::Policy::Other

CVE

Additional Links

Rule Vulnerability

N/A

Not Applicable

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2024-38856
Loading description