The Letsdefend digital adventure for July 2023 presents an investigation into a detected RCE (Remote Code Execution) exploitation in Apache Tomcat, specifically pertaining to the vulnerability of CVE-2024-50379.
The vulnerability allows an attacker to leverage a case-insensitivity bypass and a race condition, which could lead to overwriting or modifying existing files on the server.
The alert provides indicators of compromise (IOCs) such as the hostname (TOM-Upload01), destination and source IP addresses, the HTTP request method, the requested URL, and the uploaded file (FILE.jsp).
The analysis of the alert reveals that the attacker attempted to upload a file named FILE.jsp, but only file.jsp was found in the upload directory.
The L1 note indicates further investigation is required to identify any abnormal activities or potential causes of the alert.
Users are advised to review the documentation provided by Letsdefend and ensure their systems are up-to-date with the latest security patches to prevent exploitation of known vulnerabilities.