Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Java ClassLoader access attempt

Rule Explanation

An attacker could potentially gain remote code execution on a vulnerable web application that exposes the class object. This can be used to alter core settings of the application and allow for a web shell to be uploaded.

What To Look For

This rule alerts on an attempt to access the protected Java ClassLoader object.

Known Usage

Attacks/Scans seen in the wild

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

Additional Links

Rule Vulnerability

Escalation of Privilege

An Escalation of Privilege (EOP) attack is any attack method that results in a user or application gaining permissions to access resources they normally would not have access to.

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2014-0112
ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Details
SeverityHIGH Base Score7.5
Impact Score6.4 Exploit Score10
Confidentiality ImpactPARTIAL Integrity ImpactPARTIAL
Availability ImpactPARTIALAccess Vectornull
AuthenticationNONE Ease of Access
CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Details
Severity Base Score9.8
Impact Score5.9 Exploit Score3.9
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGHAttack VectorNETWORK
ScopeUNCHANGEDUser InteractionNONE
Authentication Ease of AccessLOW
Privileges RequiredNONE

MITRE ATT&CK Framework

Tactic: Execution

Technique: Execution through Module Load

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org