04-07-2022 06:00 AM
Hello all,
I receive alerts from FMC (6.7.0.3) - Below is an example of one alert I recently received:
[1:58742:7] "SERVER-OTHER Apache Log4j logging remote code execution attempt" [Impact: Potentially Vulnerable] From "ASA-5516X" at Tue Apr 5 18:00:19 2022 UTC [Classification: Attempted User Privilege Gain] [Priority: 1] {tcp} 3.238.137.11:46096 (united states)-><internal IP>:80 (unknown)
Does this indicate that the session was blocked, or, is it just indicating that it was detected and not necessarily blocked? And does this indicate that our host possibly is vulnerable to the exploit?
Thanks
Solved! Go to Solution.
04-07-2022 08:18 AM
The default action for that Snort rule is to Block and Alert. So unless you changed the action, it was blocked. Your intrusion events screen would show you the exact disposition.
It appears your ASA-5516X was being scanned. Normally it wouldn't have port 80 open on its public interface unless you are port forwarding to something internal.
An ASA 5516-X by itself is not vulnerable to the Log4j vulnerabilities. Reference:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
04-07-2022 08:18 AM
The default action for that Snort rule is to Block and Alert. So unless you changed the action, it was blocked. Your intrusion events screen would show you the exact disposition.
It appears your ASA-5516X was being scanned. Normally it wouldn't have port 80 open on its public interface unless you are port forwarding to something internal.
An ASA 5516-X by itself is not vulnerable to the Log4j vulnerabilities. Reference:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
04-07-2022 11:55 AM
Thank you Marvin -
Also, the target IP was for a web application server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide