HTTP/Exploit.CVE-2021-41773 on a Apache Tomcat server

[Markwd 1]

Hello,

 

Just a quick (global) question:

 

We have a webserver containing an instance of Apache Tomcat version 9 (not fully up-to-dat).

The server also has ESET Server Security version 9 on it.

Once in a while ESET Server Security detects an attempt to exploit HTTP/Exploit.CVE-2021-41773 on the Tomcat.exe process.

The exploit is bound to a vulnerability in Apache HTTPD instead of Tomcat.

 

Would that be an attempt of the attacker to try if the webserver accidentally has a vulnerable httpd version on it, what is triggering ESET to detect the exploit attempt? Could it be a  FP, because Tomcat.exe is not vulnerable to this exploit, or could something else be the reason ESS is triggered?

 

Thanks!

[Nevermind 8]

Hey Markwd,

thats a network detection only (ie its neither a file nor memory detection). The way I see it someone tries whether your server is vulnerable to this exploit. If you have logging enabled you can check if there are any requests similar to this:
hxxp://<your_server>/cgi-bin/.%2e/%2e%2e/%2e%2e....

(src: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py)

ESET doesnt check whether you are actually running a vulnerable software or not. It sees an exploit attempt -> it displays a detection window.