Skip to content
Home » SIEM Tuning Insights » RSA Netwitness CVE-2022-21907 detection

RSA Netwitness CVE-2022-21907 detection

What is CVE-2022-21907?

CVE-2022-21907 Bug lives in the HTTP Protocol Stack (http.sys), a necessary component in Windows (Internet Information Services) IIS webserver to host webpages. Attackers can send crafted packets to the http.sys process and trick the system into running their injected code, they gain this access by abusing the HTTP Trailer Support feature.

Rated with a CVSS score of 9.8, the low complexity of the attack and the wormable nature of the vulnerability, Microsoft suggests a patch without delay. Both windows server and desktop versions are affected by this bug.

Detection Introduction

This writing is intended for Seasoned RSA Professionals, this is not a how to rather it is provides all of the details on a high level to implement detection measures for CVE-2022-21907 assuming you are ingesting these logs into your RSA Netwitness SIEM.


  • Download HTTP_lua_options.lua and push to Packet Decoders

Below are the three actions needed once the prerequisites are in place.

ssh into a packetDecoder and vi /etc/netwitness/ng/parsers/HTTP_lua_options.lua
under “function customHeaders() add:

[“trailer”] = “trailer”,

Configure your concentrators index-concentrator-custom add the following and push to all concentrators:

level=”IndexValues” format=”Text” name=”Trailer” valueMax=”100000″ defaultAction=”Closed”/>

From the UI configure your App Rule Content on the packet decoders, and push the rules to all packet decoders:

trailer exists -> RSA Alerts (CVE-2022-21907 trailer observed)

trailer exists -> RSA Alerts (CVE-2022-21907 trailer observed)

Finally reload parsers from explorer and restart the NwConcentrator service on all concentrators.


While this is not a fix for the bug it can bridge the gap between CVE release and Windows Patching. I hope this has been helpful! Please feel free to reach out wo me with any questions.

Leave a Reply

Your email address will not be published. Required fields are marked *