Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Progress Kemp LoadMaster protects from security vulnerability Apache Log4j 2 (CVE-2021-44228)

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly via the projects GitHub on December 9th, 2021. The vulnerability affects Apache Log4j 2 versions 2.0 to 2.14.1.

We have validated that the following products are not susceptible to the Log4j vulnerability:

  • LoadMaster
  • LoadMaster GEO
  • LoadMaster MT
  • ECS Connection Manager
  • Kemp 360 Central
  • Kemp 360 Vision

This is a short KB article to assist Kemp customers in mitigation of this vulnerability while following Apache best practices.

How Can Your LoadMaster Assist In Mitigating These Vulnerabilities?

Kemp recommends that users patch their environments that use the Log4j packages to mitigate this vulnerability as their primary response. Any Kemp load balancer (virtual, cloud, bare metal or dedicated hardware) can assist with the mitigation of this vulnerability depending on your current deployment model.

Kemp provides two options for remediation actions to mitigate against Log4j. These are outlined below as:

  1. Content Rule
  2. Web Application Firewall (WAF) rule

Content Rule Recommend Actions

The approach outlined in this flow is to use a content rule to block all external traffic based on the User-Agent and the specific Apache end point that is being attacked.

In the example below, the LoadMaster is matching against the User-Agent header field and attempting to match on either

/^*(jndi:ldap)*$/

or

/^.*(jndi:ldap|jndi:dns|jndi:rmi|jndi:rni).*$/

depending on the level of granularity.

Picture1.png

Figure 1: User-Agent Example (Basic)

Picture2.png

Figure 2: User-Agent Example (Extended)

Once the Content Rule is created, this can be applied to the appropriate Virtual Service(s) to aid mitigation. For example, it would be appropriate to use this same Match String against the Referer header as well.

As this attack continues to mature, more content rules for different Header Fields and Match Strings would be required. Customers are strongly encouraged to stay up-to-date with mitigation strategies since these are evolving given the scale of this vulnerability.

Web Application Firewall (WAF) Rules

This approach is to use the OWASP CRS native rule 932130 to protect against the body and to extend this to the REQUEST_HEADERS as well.

These rules are adapted for LoadMaster from the OWASP CRS information available here.

Please note, if your anomaly score is 15 or higher this rule will not block the request.  For more information on anomaly scoring please see our WAF feature description here.

The relevant rules that we need to apply in this scenario are:

# Apply the rule 932130 to all of the HTTP headers
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS"
# Generic rule against CVE-2021-44228 (Log4j)
SecRule REQUEST_LINE|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS "@rx \${[^}]*\${" \
"id:1000,\
phase:1,\
block,\
t:none,t:urlDecodeUni,t:cmdline\
multimatch,\
log,\
msg:'Potential Remote Command Execution: Log4j CVE-2021-44228' \
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.4.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Targetted rule against CVE-2021-44228 (Log4j)
# Can be evaded
SecRule REQUEST_LINE|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS "@rx \${jndi:(?:ldaps?|iiop|dns|rmi)://" \
"id:1001,\
phase:1,\
block,\
t:none,t:lowercase,t:urlDecodeUni,\
multimatch,\
log,\
msg:'Remote Command Execution: Log4j CVE-2021-44228' \
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.x',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


# Targetted rule against CVE-2021-44228 (Log4j)
# Alternative generic regex
SecRule REQUEST_LINE|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS "@rx \${[\w${}\-:]*j[\w${}\-:]*n[\w${}\-:]*d[\w${}\-:]*i[\w${}\-:]*:.*}" \
"id:1002,\
phase:1,\
block,\
t:none,t:lowercase,t:urlDecodeUni,\
log,\
msg:'Remote Command Execution: Log4j CVE-2021-44228', \
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.x',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Generic rule against CVE-2021-44228 (Log4j / Log4Shell)
# See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/
SecRule REQUEST_LINE|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
"id:1005,\
phase:1,\
block,\
t:none,t:urlDecodeUni,t:cmdline,\
log,\
msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.4.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

These are added to a text file and uploaded to the LoadMaster WAF and applied to the appropriate Virtual Service(s) as shown in Figure 3.

Picture3.jpg

Figure 3: Custom WAF Rule

We can then trigger an attack using the command below, where CVEBlog points to the Virtual Service IP.

curl.png

This is blocked by the Web Application Firewall as shown in Figure 4.

Picture4.jpg

Figure 4: WAF Blocking

For additional information on this vulnerability as it relates to other Progress products, refer to the Progress Security Center: https://www.progress.com/security or please contact the LoadMaster support team.

Additional Information

Given the scale of this vulnerability, customers are strongly encouraged to stay up-to-date with evolving mitigation strategies.

For additional information about the discovered vulnerability:

CVE-2021-44228

Apache Advisory

OWASP CRS Advisory


Comments

Avatar

Nick Smylie

Updated this article to include rule 1002 and rule 1005.  We recommend running them all to better increase an anomaly score and ensure a block.

0