NSX Advanced Load Balancer (Avi) WAF and CVE-2021-44228 Apache Log4j
Article ID: 317227
Updated On:
Products
Issue/Introduction
Update Dec 16th:
The recommendations have been updated.
- Log4j rules have been updated for precision.
- Manual rules updated.
- CRS-2021-4 released.
- Rules checked for protection against CVE-2021-45046.
- DataScript option has been added.
Resolution has been updated with the changes.
Resolution
As the NSX Advanced Load Balancer (Avi) Platform provides multiple layers of Application Protection there are different features that can be used and enabled.
As minimum protection we recommend the usage of either NSX Advanced Load Balancer (Avi) WAF or NSX Advanced Load Balancer (Avi) DataScript in combination with IP Reputation blocking.
All of the proposed features are available to customers subscribed to Avi Pulse Cloud Services without extra charge.
Here are the individual steps:
NSX Advanced Load Balancer (Avi) WAF:
Download Avi CRS 2021-4 from the NSX Advanced Load Balancer (Avi) customer portal.
We recommend one of the following:
(New rules are added in Detection mode initially to avoid false positives, but here we highly recommend to move to Enforcement for these directly)
Below is an example of new rules in Enforcement mode
Below is an example attack blocked after CRS 2021-4 update
2. When updating Avi CRS is not an option yet adding these two PRE-CRS rules will provide the same protection.
Create a new PRE-CRS Group. And then add these 2 rules to the group.
Again make sure these rules are in Enforcement mode.
Rule 1:
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx \${(?:jndi|ctx):" "id:4099843,phase:2,block,t:none,t:lowercase,t:urlDecodeUni,multimatch,msg:'CVE-2021-44228 / CVE-2021-45046 log4j vulnerability', tag:'attack-rce', tag:'paranoia-level/1', severity:'CRITICAL'"
Rule 2:
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx \${[^}]{0,4}\${" "id:4099844,phase:2,block,t:none,t:lowercase,t:urlDecodeUni,multimatch,msg:'CVE-2021-44228 / CVE-2021-45046 log4j vulnerability evasion', tag:'attack-rce', tag:'paranoia-level/1', severity:'CRITICAL'"
3. Customers that have Application Rules enabled can choose the “apache” Application, which will block the attacks related to this CVE as well.
Our recommendation is to still update to the latest CRS as soon as possible and use it for protection.
Protection via DataScript
As another method to protect against CVE-2021-44228 we developed a DataScript that blocks the attack vectors.
The DataScript is available in the Avi DataScript Github repository.
It needs to be installed as follows:
Below is an example of attack getting blocked by DataScript
IP Reputation(*):
During our investigation we have noticed that many of the IPs that are constantly scanning the internet for vulnerable machines, are actually covered by our IP Reputation service. We highly recommend to use the included NSX Advanced Load Balancer (Avi) IP Reputation protection to block these known threat actors from accessing your Applications.
Note: As reported many scans are routed through the TOR network and by blocking these IPs general availability through TOR to your applications is impacted.
Below is an example of an IP currently blocked through IP Reputation
(*) Pulse is required for IP Reputation updates. Please make sure your Controller is registered and you have opted-in for IP Reputation feeds.
Note: Enabling WAF and IP reputation on a Virtual Service has pre-requisites which include correctly sizing Service Engines and testing the application. Hence, we do NOT recommend enabling WAF and IP reputation for production Virtual Services directly.
Additional Information
Change log:
- December 16th 2021 - 07:00 PST: Log4j rules have been updated for precision, CRS-2021-4 released and rules checked for protection against CVE-2021-45046. DataScript option has been added.
Feedback
