[Emerging-Sigs] Vulnerable Java Version X

Jason Williams jwilliams at emergingthreats.net
Mon Oct 21 17:22:06 HDT 2019


Thanks Fran, we’ll get that fixed up for the update tomorrow!

> On Oct 21, 2019, at 15:35, Francis Trudeau <trudeauf at gmail.com> wrote:
> 
> It appears that 2028867 "ET POLICY Vulnerable Java Version 11.0.x
> Detected" didn't get a threshold.
> 
> This one is my fault, msg is wrong here:
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
> Vulnerable Java Version 12.0.x Detected"; flow:established,to_server;
> content:"Java/13.0."; http_user_agent; content:!"1"; within:1;
> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
> threshold: type limit, count 2, seconds 300, track by_src;
> reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html;
> classtype:bad-unknown; sid:2028869; rev:2; metadata:affected_product
> Java, attack_target Client_Endpoint, deployment Perimeter,
> signature_severity Informational, created_at 2019_10_18, updated_at
> 2019_10_18;)
> 
>> On Fri, Oct 18, 2019 at 3:04 PM Jason Williams
>> <jwilliams at emergingthreats.net> wrote:
>> 
>> Thanks Fran! Will get these in and updated!
>> 
>>> On Fri, Oct 18, 2019 at 3:00 PM Francis Trudeau <trudeauf at gmail.com> wrote:
>>> 
>>> Please don't yell at me.
>>> 
>>> Some of the Java Version sigs are out of date:
>>> 
>>> Java 7
>>> 2014297  change 'content:!"211";' to 'content:!"241";'
>>> 
>>> Java 8
>>> 2019401  change 'content:!"221";' to 'content:!"231";'
>>> 
>>> Java 10 is EOL
>>> 2025518  remove 'content:!"2"; within:1; http_user_agent;'
>>> 
>>> There's also no coverage for the following:
>>> 
>>> Java 11 sig:
>>> 
>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>>> Vulnerable Java Version 11.0.x Detected"; flow:established,to_server;
>>> content:"Java/11.0."; http_user_agent; content:!"5"; within:1;
>>> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
>>> threshold: type limit, count 2, seconds 300, track by_src; metadata:
>>> former_category POLICY;
>>> reference:url,www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html;
>>> classtype:bad-unknown; sid:3031; rev:1;)
>>> 
>>> Java 12 sig:
>>> 
>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>>> Vulnerable Java Version 12.0.x Detected"; flow:established,to_server;
>>> content:"Java/12.0."; http_user_agent; content:!"2"; within:1;
>>> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
>>> threshold: type limit, count 2, seconds 300, track by_src; metadata:
>>> former_category POLICY;
>>> reference:url,www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html;
>>> classtype:bad-unknown; sid:3032; rev:1;)
>>> 
>>> Java 13 sig:
>>> 
>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>>> Vulnerable Java Version 13.0.x Detected"; flow:established,to_server;
>>> content:"Java/13.0."; http_user_agent; content:!"1"; within:1;
>>> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
>>> threshold: type limit, count 2, seconds 300, track by_src; metadata:
>>> former_category POLICY;
>>> reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html;
>>> classtype:bad-unknown; sid:3033; rev:1;)
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>>> 


More information about the Emerging-sigs mailing list