SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt

These alerts are triggered when detecting the injection of malicious Object-Graph Navigation Language (OGNL) expressions in an HTTP request. OGNL is an expression language used by the Apache Struts framework. These alerts are triggered when an adversary is attempting to gain unauthorized access or execute malicious commands on the server by exploiting the following vulnerabilities CVE-2018-11776, CVE-2013-2134, and CVE-2013-2135.

ID Number

47634

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; content:"@java.lang.Runtime@getRuntime("; http_uri; content:".exec"; within:10; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-admin; sid:47634; rev:1;) 2. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; content:"(@java.lang.Runtime@getRuntime()).exec("; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,60345; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2013-2135; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:27574; rev:4;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

It is recommended to investigate the source of this traffic, consider blocking the source IP, and take necessary incident response actions. Ensure your Apache Struts applications are updated to the latest versions or have applied patches to mitigate these vulnerabilities.