Reset Search
 

 

Article

KB44944 - Can PulseSecure Web Application Firewall Module help protect against log4j/jndi vunerabilities?

« Go Back

Information

 
Last Modified Date12/28/2021 3:09 PM
Synopsis
Problem or Goal
Log4j project has published several security advisories related to JNDI interface, as described in on Apache foundation website and in our KB article KB44933 - including:

- CVE-2021-4104
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105

Can WAF help protect against this?
Cause
Solution
Our developer team is working on this, with updated WAF baseline expected soon.

Meanwhile, administrator that wants WAF to filter out log4j vulnerability right now, can add following custom handlers under the appropriate application:

- InvalidURLHandler (set invalid_url_pattern)

- RequestHeaderHandler (set invalid_header_pattern)

- RequiredHeaderFieldHandler (set invalid_header_pattern)

Pattern for both of above could be:

.*(\$|%24)({|%7[bB])(j|J|%6[aA]|%4[aA]|\$|%24).*(}|%7[dD]).*

...or...
 
.*\${.*:.*}.*

Former has low chance of false-positives, but only protect from RCE (i.e. DoS CVE-2021-45105 is let through). Latter catches all log4j vectors known so far (both RCE and DoS), but with slightly higher chance of false-positives.
Related Links
Attachment 1 
Created ByAndy Chernyak

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255