Detect subset of Spring4Shell vulnerability (CVE-2022-22965) exploit attempts against any of your internet-facing applications sitting behind HTTP(S) Load Balancer. This detection inspects URL and query string only; it is not meant to be exhaustive of all variants of this exploit.
Category: Network Activity
Use Cases: Detect
Data Sources: HTTP(S) LB Logs
| BigQuery | Chronicle | Log Analytics |
|---|---|---|
| SQL | YARA-L | Contribute query |
No event generation steps provided. Contribute emulation test to this use case.
{
"insertId": "op1da3f1iheiv",
"jsonPayload": {
"statusDetails": "handled_by_identity_aware_proxy",
"@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry"
},
"httpRequest": {
"requestMethod": "POST",
"requestUrl": "https://203.0.113.255/path?class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp",
"requestSize": "176",
"status": 401,
"responseSize": "256",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36",
"remoteIp": "192.158.1.38",
"latency": "0.173624s"
},
"resource": {
"type": "http_load_balancer",
"labels": {
"zone": "global",
"url_map_name": "my-application-lb-map",
"forwarding_rule_name": "my-application-lb-fwd-rule",
"project_id": "1234",
"target_proxy_name": "my-application-lb-proxy",
"backend_service_name": "my-application-backend-service"
}
},
"timestamp": "2022-04-02T00:34:29.860280Z",
"severity": "WARNING",
"logName": "projects/1234/logs/requests",
"trace": "projects/1234/traces/9811415033b66a1320f760e091b1ef57",
"receiveTimestamp": "2022-04-02T00:34:31.577704203Z",
"spanId": "b648b79bed5f941e"
}