SERVER-OTHER Oracle GoldenGate arbitrary file write attempt
The alert detects attempts to exploit an arbitrary file write vulnerability in Oracle GoldenGate. The rule looks for specific content patterns in the TCP payload that may indicate an attempt to exploit the vulnerability. This rule helps to identify potential exploits targeting the mentioned vulnerability
ID Number
44716
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Oracle GoldenGate arbitrary file write attempt"; flow:to_server,established; content:"|48 00|"; depth:2; offset:2; content:":|5C|"; within:2; distance:2; metadata:policy max-detect-ips drop; reference:cve,2016-0451; reference:url,www.oracle.com/technetwork/middleware/goldengate/overview/index.html; classtype:policy-violation; sid:44716; rev:2;)
Severity
high
Recommendations/Investigative actions
Ensure that you are using the latest version of Oracle GoldenGate that includes security patches and updates. Keep the software up-to-date with the latest vendor-released patches. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection, If there are internet IP's involved check if there are more alerts that this IP is involved, block the IP's in the FW and investigate the relevant IP address.