Markwd 1 Posted September 28, 2022 Share Posted September 28, 2022 Hello, Just a quick (global) question: We have a webserver containing an instance of Apache Tomcat version 9 (not fully up-to-dat). The server also has ESET Server Security version 9 on it. Once in a while ESET Server Security detects an attempt to exploit HTTP/Exploit.CVE-2021-41773 on the Tomcat.exe process. The exploit is bound to a vulnerability in Apache HTTPD instead of Tomcat. Would that be an attempt of the attacker to try if the webserver accidentally has a vulnerable httpd version on it, what is triggering ESET to detect the exploit attempt? Could it be a FP, because Tomcat.exe is not vulnerable to this exploit, or could something else be the reason ESS is triggered? Thanks! Link to comment Share on other sites More sharing options...
Solution Nevermind 8 Posted September 30, 2022 Solution Share Posted September 30, 2022 Hey Markwd, thats a network detection only (ie its neither a file nor memory detection). The way I see it someone tries whether your server is vulnerable to this exploit. If you have logging enabled you can check if there are any requests similar to this: hxxp://<your_server>/cgi-bin/.%2e/%2e%2e/%2e%2e.... (src: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py) ESET doesnt check whether you are actually running a vulnerable software or not. It sees an exploit attempt -> it displays a detection window. Link to comment Share on other sites More sharing options...
Recommended Posts