Log2Shell

Anyone have a WAF rule to prevent the log2shell vulnerability?

0

5 comments

Avatar

Permanently deleted user

Hello Christopher, 

 

This would be a Java vulnerability not an LM vulnerability. Java is not on the LM OS

CVE-2021-44228

See this page for the patch for Log4j

https://logging.apache.org/log4j/2.x/security.html

 

If you have WAF you can mitigate against it using the rules described in this blog.

https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/

0

Avatar

Vinzenz Meyer

When I add those rules as custom rules to the Kemp WAF, it is detecting such attack vectors and displays them in "false positive analysis" ->  "Rule Counts", but it doesn't raise the anomaly score and is not listed in "Anomaly Histogram". Consequently it is not blocking such attacks no matter how low the "Anomaly Scoring Threshold" is, because those rules don't add any score to it.

Is it possible that I have a misconfiguration somewhere? I'm not very familiar with the WAF options in Kemp. Or do others have the same "problem"?

I decided to set those rules to "deny" instead of "block" for the time being. At least that's working.

 

Best regards

Vinzenz Meyer

0

Avatar

Vinzenz Meyer

Ok, I went with this adaptation of the rules: https://support.kemptechnologies.com/hc/en-us/articles/4416473820045

Now it's working.

0

Avatar

Bruce Anderson

The below rules will block log4j.  When I setup the below rules a few years ago in KEMP (which happen to block log4j), I manually installed the CSR rule set in what's now called "legacy WAF".  The newer KEMP implementation I believe already comes with a customized for kemp CSR rule set.

TL;DR: see if you can enable the below KEMP WAF rules: 

ModSecurity \ 932100 \ Remote Command Execution: Unix Command Injection

ModSecurity \ 932130 \ Remote Command Execution: Unix Shell Expression Found

Reference: https://www.picussecurity.com/resource/blog/simulating-and-preventing-cve-2021-44228-apache-log4j-rce-exploits

Reference: https://coreruleset.org/installation/

0

Avatar

Briana Price

Log4j is a logging framework written in Java that provides an easy way for logging in Selenium. In a nutshell, the framework gives out information about everything that goes on during the software execution. Log4j also provides insight into anything that may have gone wrong during software execution or automation.

Thank you!

Tellthebell

0

Please to leave a comment.

Didn't find what you were looking for?