[Emerging-Sigs] Vulnerable Java Version X

Francis Trudeau trudeauf at gmail.com
Fri Oct 18 11:59:49 HDT 2019


Please don't yell at me.

Some of the Java Version sigs are out of date:

Java 7
2014297  change 'content:!"211";' to 'content:!"241";'

Java 8
2019401  change 'content:!"221";' to 'content:!"231";'

Java 10 is EOL
2025518  remove 'content:!"2"; within:1; http_user_agent;'

There's also no coverage for the following:

Java 11 sig:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 11.0.x Detected"; flow:established,to_server;
content:"Java/11.0."; http_user_agent; content:!"5"; within:1;
http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
threshold: type limit, count 2, seconds 300, track by_src; metadata:
former_category POLICY;
reference:url,www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html;
classtype:bad-unknown; sid:3031; rev:1;)

Java 12 sig:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 12.0.x Detected"; flow:established,to_server;
content:"Java/12.0."; http_user_agent; content:!"2"; within:1;
http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
threshold: type limit, count 2, seconds 300, track by_src; metadata:
former_category POLICY;
reference:url,www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html;
classtype:bad-unknown; sid:3032; rev:1;)

Java 13 sig:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 13.0.x Detected"; flow:established,to_server;
content:"Java/13.0."; http_user_agent; content:!"1"; within:1;
http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
threshold: type limit, count 2, seconds 300, track by_src; metadata:
former_category POLICY;
reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html;
classtype:bad-unknown; sid:3033; rev:1;)


More information about the Emerging-sigs mailing list