Hello Sarah & Ken,
We also observed the payload of "/actuator/health", but there's no coverage for this pattern. We have a malicious User-agent policy in that it covers.
Observed User-agent: Mozilla/5.0 zgrab/0.x
Kindly let us also knows, if any signature to cover these payload.
------------------------------
Jagadesh Kumar R
Inormation Security Group, Assistant Manager
The Karur Vysya Bank Limited
Karur
------------------------------
Original Message:
Sent: 05-15-2023 20:07
From: Ken Chau
Subject: Spring Boot Eureka Xstream Deserialization RCE vulnearbility
Hi Sarah,
You may check this Spring Boot Actuators - cheat-sheets (gitbook.io), the first part discussed how to exploit it. Thanks.
------------------------------
Ken Chau
IT Manager
Original Message:
Sent: 05-15-2023 11:21
From: Sarah Lamont
Subject: Spring Boot Eureka Xstream Deserialization RCE vulnearbility
Hi Ken,
I checked in with our Threat research team. Could you provide any more info such as a specific CVE code or a link to an example exploitation?
Thanks,
------------------------------
Sarah Lamont
Digital Community Manager
Original Message:
Sent: 05-15-2023 09:34
From: Ken Chau
Subject: Spring Boot Eureka Xstream Deserialization RCE vulnearbility
Hi all,
Is there any signature in WAF to block the Spring Boot Eureka Xstream Deserialization RCE vulnearbility where attacker will send GET/POST request to the following URLs
/actuator/env
/actuator/refresh
Thank you!
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Ken Chau
IT Manager
------------------------------