heroui logo

Exploit Public Facing Application via Apache Commons Text

Splunk Security Content

View Source
Summary
This analytic detects attempts to exploit the CVE-2022-42889 vulnerability, commonly referred to as Text4Shell, in the Apache Commons Text Library. This vulnerbility permits attackers to execute arbitrary code on the server when exploited through crafted HTTP requests. By leveraging the Web datamodel, the rule identifies suspicious HTTP requests that contain specific keywords such as 'url', 'dns', and 'script'. These keywords in the request URI can indicate an attempt to perform Remote Code Execution (RCE), making it crucial to detect such activity early to prevent potential compromises of the server. The implementation of this rule requires collection of network traffic that conforms to the Common Information Model (CIM) standards, ensuring efficient querying. The rule aims to facilitate detection, analysis, and response to potential threats exploiting this critical vulnerability and provides additional contextual information for alerts.
Categories
  • Web
  • Cloud
  • Network
  • Endpoint
Data Sources
  • Named Pipe
  • Web Credential
  • Network Traffic
  • Application Log
ATT&CK Techniques
  • T1505.003
  • T1505
  • T1190
  • T1133
Created: 2024-11-15