Our developer team is working on this, with updated WAF baseline expected soon.
Meanwhile, administrator that wants WAF to filter out log4j vulnerability right now, can add following custom handlers under the appropriate application:
- InvalidURLHandler (set invalid_url_pattern)
- RequestHeaderHandler (set invalid_header_pattern)
- RequiredHeaderFieldHandler (set invalid_header_pattern)
Pattern for both of above could be:
Former has low chance of false-positives, but only protect from RCE (i.e. DoS CVE-2021-45105 is let through). Latter catches all log4j vectors known so far (both RCE and DoS), but with slightly higher chance of false-positives.