This package detects a subset of CVE-2022-22954 attempts and exploits, generates a notice, and also includes the exploit URI and the first 4KB of the data that was sent back to the attacker as a response. While detecting this attack is more straightforward from log analysis, this package helps by logging the response sent back to the attacker to aid in incidence response.
Two notices can be generated from this package:
VMWareRCE2022::ExploitAttempt
, andVMWareRCE2022::ExploitSuccess
The first is generated when an attack is attempted, but does not necessarily succeed. The second is fired only when a successful exploit is detected and should be investigated immediately. Below is an example of a successful exploit notice.
1223906136.104000 C5uvDn3o7ejGdRxeVb - - - - - - - - VMWareRCE2022::ExploitSuccess 192.168.0.1 successfully exploited 173.37.145.84. See sub for uri/response. uri: /catalog-portal/ui/oauth/verify?error=&deviceUdid=${{freemarker.template.utility.Execute?new()(whoami)}}; response: www-data\x0a - - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
This package can be installed with zkg
using the following commands:
$ zkg refresh
$ zkg install cve-2022-22954
Corelight customers can install it by updating the CVE bundle.