sigmahighHunting

Potential OGNL Injection Exploitation In JVM Based Application

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

MITRE ATT&CK

T1190

initial-access

Detection Query

keywords:
  - org.apache.commons.ognl.OgnlException
  - ExpressionSyntaxException
condition: keywords

Author

Moti Harmats

Created

2023-02-11

Data Sources

jvmapplication

Platforms

jvm

References

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

Tags

attack.initial-accessattack.t1190cve.2017-5638cve.2022-26134

Raw Content

title: Potential OGNL Injection Exploitation In JVM Based Application
id: 4d0af518-828e-4a04-a751-a7d03f3046ad
status: test
description: |
    Detects potential OGNL Injection exploitation, which may lead to RCE.
    OGNL is an expression language that is supported in many JVM based systems.
    OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
references:
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2017-5638
    - cve.2022-26134
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'org.apache.commons.ognl.OgnlException'
        - 'ExpressionSyntaxException'
    condition: keywords
falsepositives:
    - Application bugs
level: high