Anyone have a WAF rule to prevent the log2shell vulnerability?
Log2Shell
5 comments
When I add those rules as custom rules to the Kemp WAF, it is detecting such attack vectors and displays them in "false positive analysis" -> "Rule Counts", but it doesn't raise the anomaly score and is not listed in "Anomaly Histogram". Consequently it is not blocking such attacks no matter how low the "Anomaly Scoring Threshold" is, because those rules don't add any score to it.
Is it possible that I have a misconfiguration somewhere? I'm not very familiar with the WAF options in Kemp. Or do others have the same "problem"?
I decided to set those rules to "deny" instead of "block" for the time being. At least that's working.
Best regards
Vinzenz Meyer
Ok, I went with this adaptation of the rules: https://support.kemptechnologies.com/hc/en-us/articles/4416473820045
Now it's working.
The below rules will block log4j. When I setup the below rules a few years ago in KEMP (which happen to block log4j), I manually installed the CSR rule set in what's now called "legacy WAF". The newer KEMP implementation I believe already comes with a customized for kemp CSR rule set.
TL;DR: see if you can enable the below KEMP WAF rules:
ModSecurity \ 932100 \ Remote Command Execution: Unix Command Injection
ModSecurity \ 932130 \ Remote Command Execution: Unix Shell Expression Found
Reference: https://coreruleset.org/installation/
Log4j is a logging framework written in Java that provides an easy way for logging in Selenium. In a nutshell, the framework gives out information about everything that goes on during the software execution. Log4j also provides insight into anything that may have gone wrong during software execution or automation.
Thank you!
Please log in to leave a comment.
Didn't find what you were looking for?
Log in to post
Permanently deleted user
Hello Christopher,
This would be a Java vulnerability not an LM vulnerability. Java is not on the LM OS
CVE-2021-44228
See this page for the patch for Log4j
https://logging.apache.org/log4j/2.x/security.html
If you have WAF you can mitigate against it using the rules described in this blog.
https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/