SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt
This alert is triggered when an adversary is attempting to exploit CVE-2011-0807 and gain access to the Oracle GlassFish Server without providing a "JSESSIONID". Oracle GlassFish Server is an open-source application server provided by Oracle for the Java EE platform. The rule specifically detects attempts to bypass authentication by targeting the "/applications/upload" URI and looking for specific patterns in the request.
ID Number
20159
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:9;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to immediately check the GlassFish Server for signs of compromise or unauthorized changes.
Upgrade the Oracle GlassFish Server to a version that has patched this vulnerability or apply relevant security patches.