This package detects a subset of CVE-2022-22954 attempts and exploits, generates a notice, and also includes the exploit URI and the first 4KB of the data that was sent back to the attacker as a response. While detecting this attack is more straightforward from log analysis, this package helps by logging the response sent back to the attacker to aid in incidence response.

Sample Notice

Two notices can be generated from this package:

  • VMWareRCE2022::ExploitAttempt, and
  • VMWareRCE2022::ExploitSuccess

The first is generated when an attack is attempted, but does not necessarily succeed. The second is fired only when a successful exploit is detected and should be investigated immediately. Below is an example of a successful exploit notice.

1223906136.104000       C5uvDn3o7ejGdRxeVb      -       -       -       -       -       -       -       -       VMWareRCE2022::ExploitSuccess successfully exploited See sub for uri/response.     uri: /catalog-portal/ui/oauth/verify?error=&deviceUdid=${{freemarker.template.utility.Execute?new()(whoami)}}; response: www-data\x0a        -       -       -       -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -


This package can be installed with zkg using the following commands:

$ zkg refresh
$ zkg install cve-2022-22954

Corelight customers can install it by updating the CVE bundle.

Package Version :