Detectionhightest

Potential OGNL Injection Exploitation In JVM Based Application

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Moti HarmatsCreated Sat Feb 114d0af518-828e-4a04-a751-a7d03f3046adapplication

Log Source

jvmapplication

Productjvm← raw: jvm

Categoryapplication← raw: application

Definition

Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)

Detection Logic

detection:
    keywords:
        - 'org.apache.commons.ognl.OgnlException'
        - 'ExpressionSyntaxException'
    condition: keywords

False Positives

Application bugs

References

Resolving title…

wix.engineering

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2017-5638cve.2022-26134

Rule Metadata

Rule ID

4d0af518-828e-4a04-a751-a7d03f3046ad

Status

test

Level

high

Type

Detection

Created

Sat Feb 11

Author

Moti Harmats

Path

rules/application/jvm/java_ognl_injection_exploitation_attempt.yml

Raw Tags

attack.initial-accessattack.t1190cve.2017-5638cve.2022-26134

View on GitHub