IR - SOC334 - Apache Tomcat RCE Exploitation Detected (CVE-2024-50379)

Continuing with the Incident Responder Path, we tackle an CRITICAL alert for an "SOC334 - Apache Tomcat RCE Exploitation Detected (CVE-2024-50379)". Was this a Red Team test, a misconfiguration, a false positive or possibly something more malicious?

⭐ Time-of-check Time-of-use (TOCTOU) Race Condition vuln in Tomcat Detected (CVE-2024-50379)
EventID: 312
Event Time: Jan, 10, 2025, 06:05 PM
Rule: SOC334 - Apache Tomcat RCE Exploitation Detected (CVE-2024-50379)
Level: Incident Responder
Hostname: TOM-Upload01
Destination IP Address: 172.16.20.47
Source IP Address: 3.144.85.113
HTTP Request Method: POST
Requested URL: 172.16.20.47/upload.jsp
Uploaded File: FILE.jsp
Content-Type: multipart/form-data
Content-Length: 1506
Alert Trigger Reason: Exploitation of CVE-2024-50379 detected. The attacker leveraged a case-insensitivity bypass and a race condition to overwrite or modify an existing file on the server.
L1 Note: The attacker uploaded a file named FILE.jsp. Upon investigation, only file.jsp was found in the uploads folder, which was already present on the server. Escalating to L2 for deeper investigation and mitigation steps.
Device Action: Allowed
CVE:
https://www.herodevs.com/vulnerability-directory/cve-2024-50379?nes-for-apache-tomcat
https://blog.securelayer7.net/cve-2024-50379-apache-tomcat/
https://github.com/pwnosec/CVE-2024-50379
https://github.com/v3153/CVE-2024-50379-POC

FILE:
https://www.virustotal.com/gui/file/598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0/detection

IP:
https://www.virustotal.com/gui/ip-address/3.144.85.113/detection
https://www.abuseipdb.com/check/3.144.85.113
https://talosintelligence.com/reputation_center/lookup?search=3.144.85.113

NOTES:
C:\xampp\tomcat\

Видео IR - SOC334 - Apache Tomcat RCE Exploitation Detected (CVE-2024-50379) канала InfoSec_Bret