# CVE-2022-22954

This package detects a subset of
[CVE-2022-22954]( attempts and
exploits, generates a notice, and also includes the exploit URI and the first
4KB of the data that was sent back to the attacker as a response. While
detecting this attack is more straightforward from [log
analysis](, this
package helps by logging the response sent back to the attacker to aid in
incidence response.

## Sample Notice

Two notices can be generated from this package:

* `VMWareRCE2022::ExploitAttempt`, and
* `VMWareRCE2022::ExploitSuccess`

The first is generated when an attack is attempted, but does not necessarily
succeed. The second is fired only when a successful exploit is detected and
should be investigated immediately. Below is an example of a successful exploit

1223906136.104000       C5uvDn3o7ejGdRxeVb      -       -       -       -       -       -       -       -       VMWareRCE2022::ExploitSuccess successfully exploited See sub for uri/response.     uri: /catalog-portal/ui/oauth/verify?error=&deviceUdid=${{freemarker.template.utility.Execute?new()(whoami)}}; response: www-data\x0a        -       -       -       -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -

## Installing

This package can be installed with `zkg` using the following commands:

$ zkg refresh
$ zkg install cve-2022-22954

Corelight customers can install it by updating the CVE bundle.